09/15/2021 10:16:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284878 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x970 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:16:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284877 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc20 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299838 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1618 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299837 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299839 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17d4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299841 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19b0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299840 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1214 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299842 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x58c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299843 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18b8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299846 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x148CA0D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:17:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299845 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x148CA0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53648 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:17:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299844 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x148CA0D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:17:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284879 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 84.242.35.58 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:17:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284881 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb0c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284880 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x380 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284882 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd68 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284883 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x168 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284885 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xa30 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284884 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xfc0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:17:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284886 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xbfc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299847 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:18:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299849 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1730 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299848 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1790 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299850 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a78 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299852 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299851 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xfb0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299853 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299854 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x175c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284887 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:18:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299857 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1490424 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:18:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299856 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1490424 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53661 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:18:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299855 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1490424 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:18:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284889 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb14 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284888 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284890 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284891 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x300 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284892 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd88 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284894 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xfd0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:18:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284893 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xa64 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299859 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13c4 New Process Name: C:\Windows\System32\dllhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x354 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299858 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdc0 New Process Name: C:\Windows\System32\taskhostw.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4f8 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: taskhostw.exe U Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299872 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14926BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299871 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14927AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299870 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14927F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299869 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1492B38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53671 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299868 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1492B38 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=299867 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-55$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {05E83C31-73FF-B99C-E772-262346255870} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4770 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=299866 Keywords=Audit Success Message=A Kerberos service ticket was renewed. Account Information: Account Name: WIN-DC-55$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x10002 Ticket Encryption Type: 0x12 Ticket options and encryption types are defined in RFC 4120. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299865 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14927F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 53670 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299864 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14927F5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299863 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14927AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299862 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14927AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299861 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14926BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53669 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:19:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299860 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14926BF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:19:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299874 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xabc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299873 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1408 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299875 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x810 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299878 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18f8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299877 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1492B38 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:19:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299876 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b00 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299885 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1444 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299884 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1494AA6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:19:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299883 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1494AA6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53676 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:19:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299882 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1494AA6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:19:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299881 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1494A3A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:19:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299880 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1494A3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53675 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:19:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299879 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1494A3A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:19:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299886 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11a4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299887 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-DC-55$ Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1485FAE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:19:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299888 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:19:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299891 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1495D0C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:19:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299890 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1495D0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53680 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:19:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299889 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1495D0C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:19:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284896 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x9e0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284895 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd64 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284897 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284898 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x934 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284900 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdb0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284899 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x950 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:19:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284901 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xec8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284902 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:20:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299893 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16c8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299892 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x12f4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299894 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x890 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299896 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x660 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299895 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x15b4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299897 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17e8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299898 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1720 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299899 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: SECRETARY Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 91.220.163.18 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:20:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299902 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x149977B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:20:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299901 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x149977B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53693 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:20:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299900 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x149977B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:20:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284904 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x914 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284903 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xcd8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284905 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf60 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284906 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xaf8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284907 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x93c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284909 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xa6c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:20:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284908 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb6c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284910 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 84.242.35.58 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:21:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299903 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:21:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299905 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x39c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299904 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x15fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299906 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x49c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284911 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 202.61.229.191 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:21:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299908 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x964 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299907 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xde4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299909 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284912 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: SECRETARY Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 91.220.163.18 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:21:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299910 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x83c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299912 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Process Information: New Process ID: 0x18ec New Process Name: C:\Windows\System32\InstallAgent.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x354 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\System32\InstallAgent.exe -Embedding Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299911 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Process Information: New Process ID: 0xdf0 New Process Name: C:\Windows\System32\taskhostw.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x4f8 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: taskhostw.exe Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284913 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:21:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299915 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x149EBB3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:21:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299914 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x149EBB3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53707 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:21:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299913 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x149EBB3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:21:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284915 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf2c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284914 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x428 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284916 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc30 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284917 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf80 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284919 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x970 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284918 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc20 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:21:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284920 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf7c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299917 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xba4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299916 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299918 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1acc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299920 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11c0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299919 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xbd0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299921 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x15a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299922 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x770 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299925 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A2490 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:22:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299924 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A2490 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53720 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:22:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299923 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A2490 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:22:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284922 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x960 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284921 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xbac New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284923 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x128 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284924 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x80c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284926 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x8fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284925 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x814 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284927 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xee4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:22:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299926 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:23:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299928 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1990 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299927 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1788 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284928 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:23:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299929 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1218 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299931 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1474 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299930 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16d8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299932 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19bc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299933 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x117c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299936 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A5F7B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:23:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299935 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A5F7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53733 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:23:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299934 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A5F7B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:23:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284930 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd9c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284929 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf40 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284931 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb78 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284932 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284934 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xcf0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284933 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:23:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284935 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xcb8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299949 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6CB6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299948 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6DA5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299947 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6DED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299946 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A6E9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53746 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299945 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6E9D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299944 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A6DED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 53743 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299943 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6DED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299942 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A6DA5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299941 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6DA5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299940 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A6CB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53742 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299939 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6CB6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299938 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A6C94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53741 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299937 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6C94 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:24:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299951 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b9c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299950 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299952 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13e0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299955 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19c4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299954 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6E9D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:24:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299953 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299962 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A936D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:24:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299961 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A936D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53751 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299960 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A936D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:24:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299959 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A92FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:24:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299958 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14A92FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53750 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299957 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A92FF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:24:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299956 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x189c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299963 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299964 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADRIEN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 119.18.39.54 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284936 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 84.242.35.58 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299965 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299968 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14AA0F3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299967 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14AA0F3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299966 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14AA0F3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:24:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284937 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284938 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb90 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284939 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3c8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284940 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc34 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284942 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284941 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xec8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284943 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdd0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299970 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1744 New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x174c Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299969 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x174c New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x75c Creator Process Name: C:\Windows\explorer.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284944 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:24:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299974 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1390 New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x1744 Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5956.5.2125203246\2040213146" -childID 3 -isForBrowser -prefsHandle 2804 -prefMapHandle 2800 -prefsLen 1765 -prefMapSize 235529 -jsInit 1132 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5956 "\\.\pipe\gecko-crash-server-pipe.5956" 2680 26562cfad38 tab Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299973 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x6cc New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x1744 Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5956.3.624013728\85768484" -childID 2 -isForBrowser -prefsHandle 2648 -prefMapHandle 2644 -prefsLen 1728 -prefMapSize 235529 -jsInit 1132 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5956 "\\.\pipe\gecko-crash-server-pipe.5956" 2660 26562892138 tab Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299972 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc24 New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x1744 Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5956.1.1238842016\1577298861" -childID 1 -isForBrowser -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 1622 -prefMapSize 235529 -jsInit 1132 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5956 "\\.\pipe\gecko-crash-server-pipe.5956" 2396 26561141f38 tab Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:24:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299971 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1820 New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x1744 Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5956.0.260963574\179579187" -parentBuildID 20210903235534 -prefsHandle 1864 -prefMapHandle 1844 -prefsLen 1 -prefMapSize 235529 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5956 "\\.\pipe\gecko-crash-server-pipe.5956" 1924 2655d9be538 gpu Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299975 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x724 New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x1744 Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5956.7.2106057636\1856197598" -childID 4 -isForBrowser -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 10692 -prefMapSize 235529 -jsInit 1132 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5956 "\\.\pipe\gecko-crash-server-pipe.5956" 4148 265672d5138 tab Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299976 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1738 New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x1744 Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5956.9.1335880927\1754917651" -childID 5 -isForBrowser -prefsHandle 4428 -prefMapHandle 4552 -prefsLen 11355 -prefMapSize 235529 -jsInit 1132 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5956 "\\.\pipe\gecko-crash-server-pipe.5956" 7216 2655cb18738 tab Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299977 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a68 New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x1744 Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5956.11.385560453\1892313461" -parentBuildID 20210903235534 -prefsHandle 7136 -prefMapHandle 7916 -prefsLen 11509 -prefMapSize 235529 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5956 "\\.\pipe\gecko-crash-server-pipe.5956" 8476 26564b27138 rdd Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299979 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1330 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299978 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd9c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299980 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1244 New Process Name: C:\Users\Administrator\Downloads\ChromeSetup.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x1744 Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe Process Command Line: "C:\Users\Administrator\Downloads\ChromeSetup.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299989 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b6c New Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x270 Creator Process Name: C:\Windows\System32\services.exe Process Command Line: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299988 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1448 New Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xa18 Creator Process Name: C:\Program Files (x86)\Google\Temp\GUM3943.tmp\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={AD134246-3A95-3E3D-F37E-0E030789AB43}&lang=en&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=FKPE&installdataindex=empty" /installsource taggedmi /sessionid "{CBA6D326-7121-4F79-88BE-22154A8E3779}" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299987 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1668 New Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xa18 Creator Process Name: C:\Program Files (x86)\Google\Temp\GUM3943.tmp\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMDIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0JBNkQzMjYtNzEyMS00Rjc5LTg4QkUtMjIxNTRBOEUzNzc5fSIgdXNlcmlkPSJ7NDg1MkE3QkEtMkMzQi00NjQ1LUE5NzgtMTlEQjgyMUU1Q0I4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezJGODVDMTQyLTYyRjYtNDcyRS05MUY4LThBQkZCNDlFNDE2N30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIxIj48aHcgcGh5c21lbW9yeT0iMzIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTQzOTMuNDU4MyIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4zNi4xMDIiIGxhbmc9ImVuIiBicmFuZD0iRktQRSIgY2xpZW50PSIiIGlpZD0ie0FEMTM0MjQ2LTNBOTUtM0UzRC1GMzdFLTBFMDMwNzg5QUI0M30iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNDc4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299986 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17f8 New Process Name: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xc68 Creator Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299985 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11c0 New Process Name: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xc68 Creator Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299984 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1134 New Process Name: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xc68 Creator Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleUpdateComRegisterShell64.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299983 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc68 New Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xa18 Creator Process Name: C:\Program Files (x86)\Google\Temp\GUM3943.tmp\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299982 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x9e4 New Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0xa18 Creator Process Name: C:\Program Files (x86)\Google\Temp\GUM3943.tmp\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299981 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xa18 New Process Name: C:\Program Files (x86)\Google\Temp\GUM3943.tmp\GoogleUpdate.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x1244 Creator Process Name: C:\Users\Administrator\Downloads\ChromeSetup.exe Process Command Line: "C:\Program Files (x86)\Google\Temp\GUM3943.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={AD134246-3A95-3E3D-F37E-0E030789AB43}&lang=en&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=FKPE&installdataindex=empty" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=299998 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4f8 Process Name: C:\Windows\System32\svchost.exe 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=299997 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4f8 Process Name: C:\Windows\System32\svchost.exe 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299996 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14CCBA5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299995 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14CCBA5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C94D4C0C-504F-97EA-1FD5-CCBD7EB26B7D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299994 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14CCBA5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=299993 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x490ED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=299992 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14CC608 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C94D4C0C-504F-97EA-1FD5-CCBD7EB26B7D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=299991 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14CC608 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:25:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=299990 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-DC-55$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {2E63E202-0610-39A7-46A0-2226730B3A61} Service Information: Service Name: WIN-DC-55$ Service ID: ATTACKRANGE\WIN-DC-55$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 09/15/2021 10:25:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=299999 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1480 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300000 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xfbc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300002 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x153c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300001 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300004 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ae0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300003 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Process Information: New Process ID: 0x1284 New Process Name: C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\93.0.4577.82_chrome_installer.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x1b6c Creator Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\93.0.4577.82_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Windows\TEMP\gui4DB5.tmp" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300006 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ab0 New Process Name: C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\CR_32D65.tmp\setup.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x171c Creator Process Name: C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\CR_32D65.tmp\setup.exe Process Command Line: "C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\CR_32D65.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.82 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7f8976ee0,0x7ff7f8976ef0,0x7ff7f8976f00 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300005 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x171c New Process Name: C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\CR_32D65.tmp\setup.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x1284 Creator Process Name: C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\93.0.4577.82_chrome_installer.exe Process Command Line: "C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\CR_32D65.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{14AD4D4F-9569-410E-9330-502035E013CF}\CR_32D65.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Windows\TEMP\gui4DB5.tmp" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300007 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: GAST Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 91.220.163.18 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:25:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300011 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19d4 New Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1b6c Creator Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMDIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0JBNkQzMjYtNzEyMS00Rjc5LTg4QkUtMjIxNTRBOEUzNzc5fSIgdXNlcmlkPSJ7NDg1MkE3QkEtMkMzQi00NjQ1LUE5NzgtMTlEQjgyMUU1Q0I4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezUwNzlDNDdDLTJDOUUtNDc3OC05QjdCLUEyRkVERTVDODhFQn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIxIj48aHcgcGh5c21lbW9yeT0iMzIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTQzOTMuNDU4MyIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzQy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjkzLjAuNDU3Ny44MiIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMSIgbGFuZz0iZW4iIGJyYW5kPSJGS1BFIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSIgaWlkPSJ7QUQxMzQyNDYtM0E5NS0zRTNELUYzN0UtMEUwMzA3ODlBQjQzfSIgY29ob3J0PSIxOmd1L2kxOToiIGNvaG9ydG5hbWU9IlN0YWJsZSBJbnN0YWxscyAmYW1wOyBGdWxsIFZlcnNpb24gUGlucyI-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9lZGdlZGwubWUuZ3Z0MS5jb20vZWRnZWRsL3JlbGVhc2UyL2Nocm9tZS9lNHR4czZmcHNmYml3NWwyZDI0eGh6NHppZV85My4wLjQ1NzcuODIvOTMuMC40NTc3LjgyX2Nocm9tZV9pbnN0YWxsZXIuZXhlIiBkb3dubG9hZGVkPSI3NzkyMjQwOCIgdG90YWw9Ijc3OTIyNDA4IiBkb3dubG9hZF90aW1lX21zPSIxMjQzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI4OSIgZG93bmxvYWRfdGltZV9tcz0iMjY1MSIgZG93bmxvYWRlZD0iNzc5MjI0MDgiIHRvdGFsPSI3NzkyMjQwOCIgaW5zdGFsbF90aW1lX21zPSIxMDQwMiIvPjwvYXBwPjwvcmVxdWVzdD4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300010 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1388 New Process Name: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1b6c Creator Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300009 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf00 New Process Name: C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1b6c Creator Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Process Command Line: "C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300008 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Process Information: New Process ID: 0xdc0 New Process Name: C:\Windows\System32\dllhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x354 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300012 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Process Information: New Process ID: 0xac4 New Process Name: C:\Windows\System32\dllhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x354 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=300015 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14E2407 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300014 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14E2407 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53872 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:25:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=300013 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14E2407 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:25:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=300016 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14A6C94 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:25:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284946 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x494 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284945 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb20 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284947 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xaf8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284948 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284949 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdf8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284951 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xccc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:25:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284950 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc28 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300023 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11a4 New Process Name: C:\Windows\System32\svchost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x270 Creator Process Name: C:\Windows\System32\services.exe Process Command Line: C:\Windows\system32\svchost.exe -k wsappx Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=300022 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 09/15/2021 10:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300021 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x270 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300020 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14E967F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {641209BD-4B81-6BFF-856D-32E50B919619} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 53879 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=300019 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14E967F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300018 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x440 New Process Name: C:\Windows\System32\conhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1ae0 Creator Process Name: C:\Windows\System32\CompatTelRunner.exe Process Command Line: \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300017 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ae0 New Process Name: C:\Windows\System32\CompatTelRunner.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x3a0 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300026 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-590$ Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x14EE7D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {FF29BAEE-F184-E3A7-5968-3E5DC89DDDE0} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 64225 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=300025 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: WIN-HOST-590$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {8FFDCD5D-092D-50A5-6F84-F6F1BCE0896C} Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 64227 Additional Information: Ticket Options: 0x60810010 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 09/15/2021 10:26:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4770 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=300024 Keywords=Audit Success Message=A Kerberos service ticket was renewed. Account Information: Account Name: WIN-HOST-590$@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 64226 Additional Information: Ticket Options: 0x10002 Ticket Encryption Type: 0x12 Ticket options and encryption types are defined in RFC 4120. 09/15/2021 10:26:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300027 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:26:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284952 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: GAST Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 91.220.163.18 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:26:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=300028 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14E967F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:26:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300031 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b38 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=300030 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-590$ Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x14EE7D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:26:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300029 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x152c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300032 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x87c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300034 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1918 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300033 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x664 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300035 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb00 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300036 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdac New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284953 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=300039 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1506365 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300038 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1506365 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53888 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:26:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=300037 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1506365 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:26:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300041 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.82 --initial-client-data=0xa8,0xac,0xb0,0x84,0xb4,0x7ffc5633a380,0x7ffc5633a390,0x7ffc5633a3a0 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300040 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x181c New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x75c Creator Process Name: C:\Windows\explorer.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300050 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19e0 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300049 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd0 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300048 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1404 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300047 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10d4 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300046 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1130 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300045 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdb8 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300044 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x128 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1996 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300043 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7d8 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300042 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x774 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 /prefetch:2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300052 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Process Information: New Process ID: 0x11e4 New Process Name: C:\Windows\System32\dllhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x354 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300051 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1478 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300082 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ef4 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7136 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300081 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1eec New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300080 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ee4 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6264 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300079 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ed0 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7024 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300078 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ec0 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300077 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e90 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6796 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300076 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e38 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300075 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e18 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6552 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300074 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1db0 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300073 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1da8 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300072 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1da0 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5744 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300071 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d98 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300070 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d90 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5780 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300069 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d88 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5740 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300068 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d80 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5844 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300067 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d78 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5136 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300066 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d70 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300065 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d30 New Process Name: C:\Program Files\Google\Chrome\Application\93.0.4577.82\Installer\chrmstp.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1cdc Creator Process Name: C:\Program Files\Google\Chrome\Application\93.0.4577.82\Installer\chrmstp.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\93.0.4577.82\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.82 --initial-client-data=0x218,0x21c,0x220,0x6c,0x224,0x7ff64a916ee0,0x7ff64a916ef0,0x7ff64a916f00 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300064 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ce4 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5268 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300063 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cdc New Process Name: C:\Program Files\Google\Chrome\Application\93.0.4577.82\Installer\chrmstp.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\93.0.4577.82\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel=stable --force-configure-user-settings Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300062 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cd4 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5524 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300061 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cb4 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300060 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c7c New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5932 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300059 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c50 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300058 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c04 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300057 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Process Information: New Process ID: 0x1274 New Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x354 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300056 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x187c New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5536 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300055 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1518 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300054 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x141c New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5236 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300053 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ab0 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284955 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x344 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284954 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x5b8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300091 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d40 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6256 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300090 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d54 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6284 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300089 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c94 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6612 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300088 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c70 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6576 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300087 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c64 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5396 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284956 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc20 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300086 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0c New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5836 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300085 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ff4 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5948 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300084 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1fe8 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6492 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300083 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1fdc New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284957 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd54 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284959 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf90 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300093 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e50 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300092 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1df8 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284958 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7c0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284960 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe70 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:26:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284961 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 202.61.229.191 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:27:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300097 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ca8 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300096 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cb8 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300095 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cac New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300094 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c84 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300098 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d48 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300099 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1de0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300101 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e44 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300100 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10b0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300102 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ecc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300103 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Process Information: New Process ID: 0x18e8 New Process Name: C:\Windows\System32\dllhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x354 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\system32\DllHost.exe /Processid:{448AEE3B-DC65-4AF6-BF5F-DCE86D62B6C7} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=300106 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x153E513 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:27:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300105 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x153E513 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7F23DDF9-A63A-4F09-7B94-17580C65BB97} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 52829 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:27:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=300104 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x153E513 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:27:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284962 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 84.242.35.58 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300117 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f24 New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3884 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=300116 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4f8 Process Name: C:\Windows\System32\svchost.exe 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Security Group Management OpCode=Info RecordNumber=300115 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4f8 Process Name: C:\Windows\System32\svchost.exe 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=300114 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x153F8E4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300113 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x153F8E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C94D4C0C-504F-97EA-1FD5-CCBD7EB26B7D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=300112 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x153F8E4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=300111 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x14CC608 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300110 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x153F498 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C94D4C0C-504F-97EA-1FD5-CCBD7EB26B7D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=300109 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x153F498 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=300108 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x161c New Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\Low Mandatory Level Creator Process ID: 0x181c Creator Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe Process Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,5865294782834729920,10455436014970876841,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3900 /prefetch:8 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300107 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:27:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284963 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xfb4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284964 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3bc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284965 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc90 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=300118 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: INFO Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 91.220.163.18 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:27:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284966 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284968 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x934 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284967 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xbdc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:27:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284969 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf14 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301160 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x6a4 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICISA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301159 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301158 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web Data Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301157 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Visited Links Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301156 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Trusted Vault Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301155 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301154 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journal Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301153 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Top Sites Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301152 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sync Data Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301151 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301150 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301149 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301148 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301147 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301146 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301145 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301144 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301143 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301142 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301141 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301140 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\MANIFEST-000001 Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301139 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\LOG Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301138 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\LOCK Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301137 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\CURRENT Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301136 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.log Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301135 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Persistent State Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301134 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301133 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301132 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\MANIFEST-000001 Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301131 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\LOG Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301130 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\LOCK Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301129 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\CURRENT Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301128 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301127 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301126 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\index Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301125 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_3 Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301124 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301123 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_1 Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301122 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_0 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301121 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301120 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301119 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301118 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-index Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301117 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301116 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301115 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301114 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\the-real-index Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301113 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301112 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301111 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301110 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301109 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\MANIFEST-000001 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301108 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\LOG Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301107 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\LOCK Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301106 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\CURRENT Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301105 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\000003.log Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301104 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Network Persistent State Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301103 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301102 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301101 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\MANIFEST-000001 Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301100 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\LOG Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301099 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\LOCK Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301098 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\CURRENT Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301097 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\000003.log Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301096 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301095 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\index Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301094 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_3 Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301093 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_2 Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301092 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_1 Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301091 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_0 Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301090 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301089 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301088 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301087 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir\the-real-index Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301086 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301085 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301084 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301083 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir\the-real-index Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301082 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301081 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301080 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000001 Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301079 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301078 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOCK Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301077 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301076 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301075 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journal Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301074 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Shortcuts Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301073 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301072 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301071 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301070 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301069 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOCK Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301068 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301067 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301066 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000001 Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301065 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301064 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOCK Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301063 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301062 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301061 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sessions Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301060 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13276175210169047 Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301059 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Session Storage Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301058 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001 Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301057 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301056 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301055 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENT Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301054 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301053 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301052 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL-journal Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301051 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301050 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\PreferredApps Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301049 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301048 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_and_features_store Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301047 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_and_features_store\LOG Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301046 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_and_features_store\LOCK Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301045 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301044 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOG Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301043 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOCK Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301042 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301041 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301040 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301039 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301038 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301037 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301036 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301035 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\LOG Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301034 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\LOCK Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301033 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301032 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301031 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301030 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301029 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301028 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301027 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301026 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301025 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301024 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001 Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301023 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301022 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301021 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301020 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301019 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History-journal Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301018 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301017 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301016 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301015 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GPUCache Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301014 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301013 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301012 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2 Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301011 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301010 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0 Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301009 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301008 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GCM Store Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301007 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301006 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301005 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301004 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOCK Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301003 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301002 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000003.log Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301001 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301000 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300999 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300998 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOCK Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300997 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300996 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300995 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOCK Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300994 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300993 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Favicons Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300992 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300991 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300990 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0 Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300989 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_metadata Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300988 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_metadata\verified_contents.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300987 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300986 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\zh_TW Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300985 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\zh_TW\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300984 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\zh_CN Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300983 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\zh_CN\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300982 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\vi Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300981 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\vi\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300980 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\uk Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300979 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\uk\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300978 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\tr Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300977 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\tr\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300976 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\th Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300975 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\th\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300974 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\sr Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300973 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\sr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300972 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\sl Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300971 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\sl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300970 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\sk Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300969 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\sk\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300968 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\se Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300967 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\se\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300966 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ru Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300965 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ru\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300964 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ro Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300963 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ro\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300962 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\pt_PT Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300961 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\pt_PT\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300960 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\pt_BR Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300959 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\pt_BR\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300958 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\pl Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300957 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\pl\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300956 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\no Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300955 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\no\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300954 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\nl Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300953 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\nl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300952 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\lv Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300951 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\lv\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300950 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\lt Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300949 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\lt\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300948 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ko Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300947 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ko\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300946 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ja Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300945 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ja\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300944 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\it Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300943 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\it\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300942 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\id Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300941 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\id\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300940 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\hu Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300939 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\hu\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300938 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\hr Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300937 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\hr\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300936 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\hi Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300935 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\hi\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300934 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fr Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300933 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fr\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300932 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fil Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300931 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fil\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300930 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fi Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300929 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fi\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300928 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\es Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300927 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\es\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300926 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\en Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300925 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\en\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300924 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\el Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300923 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\el\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300922 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300921 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300920 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\da Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300919 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\da\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300918 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\cs Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300917 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\cs\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300916 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ca Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300915 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ca\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300914 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\bg Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300913 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\bg\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300912 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ar Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300911 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ar\messages.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300910 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\manifest.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300909 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\128.png Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300908 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300907 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300906 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300905 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\verified_contents.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300904 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300903 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300902 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300901 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300900 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300899 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300898 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300897 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300896 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300895 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300894 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300893 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300892 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300891 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300890 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300889 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300888 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300887 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300886 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300885 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300884 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300883 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300882 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300881 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300880 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300879 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300878 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300877 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300876 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300875 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300874 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300873 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300872 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300871 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300870 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300869 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300868 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300867 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300866 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300865 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300864 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300863 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300862 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300861 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300860 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300859 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300858 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300857 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300856 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300855 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300854 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300853 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300852 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300851 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300850 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300849 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300848 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300847 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300846 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300845 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300844 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300843 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300842 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419 Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300841 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300840 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300839 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300838 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300837 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300836 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300835 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300834 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300833 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300832 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300831 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300830 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300829 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300828 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300827 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300826 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300825 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300824 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300823 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300822 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300821 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300820 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300819 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300818 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300817 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300816 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300815 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300814 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png Handle ID: 0x764 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300813 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300812 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300811 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\craw_window.html Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300810 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300809 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\craw_window.css Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300808 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300807 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300806 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300805 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0 Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300804 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_metadata Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300803 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_metadata\verified_contents.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300802 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_metadata\computed_hashes.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300801 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300800 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\zu Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300799 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\zu\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300798 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\zh_TW Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300797 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\zh_TW\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300796 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\zh_HK Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300795 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\zh_HK\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300794 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\zh_CN Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300793 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\zh_CN\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300792 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\vi Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300791 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\vi\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300790 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ur Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300789 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ur\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300788 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\uk Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300787 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\uk\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300786 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\tr Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300785 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\tr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300784 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\th Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300783 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\th\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300782 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\te Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300781 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\te\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300780 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ta Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300779 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ta\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300778 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sw Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300777 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sw\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300776 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sv Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300775 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sv\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300774 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sr Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300773 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300772 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sl Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300771 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sl\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300770 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sk Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300769 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\sk\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300768 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\si Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300767 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\si\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300766 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ru Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300765 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ru\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300764 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ro Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300763 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ro\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300762 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\pt_PT Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300761 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\pt_PT\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300760 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\pt_BR Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300759 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\pt_BR\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300758 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\pl Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300757 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\pl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300756 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\pa Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300755 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\pa\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300754 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\no Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300753 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\no\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300752 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\nl Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300751 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\nl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300750 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ne Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300749 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ne\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300748 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\my Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300747 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\my\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300746 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ms Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300745 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ms\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300744 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\mr Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300743 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\mr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300742 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\mn Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300741 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\mn\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300740 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ml Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300739 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ml\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300738 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\lv Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300737 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\lv\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300736 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\lt Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300735 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\lt\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300734 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\lo Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300733 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\lo\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300732 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ko Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300731 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ko\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300730 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\kn Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300729 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\kn\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300728 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\km Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300727 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\km\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300726 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\kk Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300725 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\kk\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300724 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ka Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300723 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ka\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300722 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ja Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300721 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ja\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300720 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\iw Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300719 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\iw\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300718 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\it Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300717 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\it\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300716 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\is Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300715 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\is\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300714 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\id Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300713 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\id\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300712 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\hy Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300711 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\hy\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300710 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\hu Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300709 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\hu\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300708 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\hr Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300707 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\hr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300706 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\hi Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300705 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\hi\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300704 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\gu Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300703 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\gu\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300702 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\gl Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300701 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\gl\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300700 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fr_CA Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300699 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fr_CA\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300698 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fr Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300697 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fr\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300696 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fil Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300695 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fil\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300694 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fi Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300693 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fi\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300692 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fa Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300691 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\fa\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300690 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\eu Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300689 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\eu\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300688 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\et Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300687 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\et\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300686 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\es_419 Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300685 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\es_419\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300684 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\es Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300683 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\es\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300682 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\en_US Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300681 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\en_US\messages.json Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300680 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\en_GB Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300679 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\en_GB\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300678 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\en_CA Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300677 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\en_CA\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300676 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\en Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300675 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\en\messages.json Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300674 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\el Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300673 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\el\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300672 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\de Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300671 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\de\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300670 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\da Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300669 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\da\messages.json Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300668 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\cy Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300667 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\cy\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300666 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\cs Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300665 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\cs\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300664 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ca Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300663 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ca\messages.json Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300662 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\bn Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300661 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\bn\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300660 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\bg Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300659 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\bg\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300658 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\be Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300657 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\be\messages.json Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300656 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\az Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300655 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\az\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300654 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ar Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300653 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\ar\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300652 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\am Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300651 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\am\messages.json Handle ID: 0x758 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300650 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\af Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300649 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\_locales\af\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300648 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\page_embed_script.js Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300647 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\manifest.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300646 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\eventpage_bin_prod.js Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300645 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\dasherSettingSchema.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300644 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.33.0_0\128.png Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300643 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300642 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300641 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_metadata Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300640 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_metadata\verified_contents.json Handle ID: 0x784 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300639 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_metadata\computed_hashes.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300638 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300637 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\zh_TW Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300636 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\zh_TW\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300635 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\zh_CN Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300634 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\zh_CN\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300633 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\vi Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300632 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\vi\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300631 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\uk Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300630 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\uk\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300629 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\tr Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300628 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\tr\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300627 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\th Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300626 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\th\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300625 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sv Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300624 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sv\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300623 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sr Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300622 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sr\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300621 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sl Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300620 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sl\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300619 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sk Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300618 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\sk\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300617 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ru Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300616 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ru\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300615 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ro Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300614 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ro\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300613 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pt_PT Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300612 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pt_PT\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300611 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pt_BR Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300610 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pt_BR\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300609 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pl Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300608 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\pl\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300607 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\no Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300606 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\no\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300605 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\nl Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300604 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\nl\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300603 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ms Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300602 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ms\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300601 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lv Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300600 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lv\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300599 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lt Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300598 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lt\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300597 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ko Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300596 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ko\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300595 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ja Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300594 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ja\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300593 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\it Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300592 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\it\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300591 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\id Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300590 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\id\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300589 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\hu Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300588 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\hu\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300587 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\hi Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300586 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\hi\messages.json Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300585 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\he Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300584 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\he\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300583 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fr Handle ID: 0x778 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300582 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fr\messages.json Handle ID: 0x77c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300581 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300580 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300579 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300578 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300577 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\et Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300576 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\et\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300575 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419 Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300574 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300573 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300572 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300571 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\en_US Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300570 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\en_US\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300569 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\en_GB Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300568 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\en_GB\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300567 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\el Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300566 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\el\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300565 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\de Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300564 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\de\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300563 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\da Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300562 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\da\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300561 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\cs Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300560 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\cs\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300559 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ca Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300558 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ca\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300557 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\bg Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300556 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\bg\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300555 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ar Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300554 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ar\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300553 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\manifest.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300552 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.js Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300551 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.html Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300550 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_16.png Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300549 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_128.png Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300548 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300547 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0 Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300546 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300545 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata\verified_contents.json Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300544 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300543 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_TW Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300542 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_TW\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300541 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_CN Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300540 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_CN\messages.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300539 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\vi Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300538 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\vi\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300537 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300536 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300535 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\tr Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300534 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\tr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300533 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\th Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300532 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\th\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300531 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sv Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300530 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sv\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300529 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sr Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300528 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300527 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300526 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300525 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300524 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300523 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ru Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300522 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ru\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300521 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ro Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300520 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ro\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300519 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300518 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300517 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_BR Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300516 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_BR\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300515 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pl Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300514 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300513 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300512 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300511 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300510 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300509 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lv Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300508 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lv\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300507 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lt Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300506 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lt\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300505 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ko Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300504 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ko\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300503 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ja Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300502 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ja\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300501 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\it Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300500 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\it\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300499 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\id Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300498 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\id\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300497 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hu Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300496 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hu\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300495 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hr Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300494 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hr\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300493 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hi Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300492 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hi\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300491 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\he Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300490 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\he\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300489 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fr Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300488 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fr\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300487 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300486 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300485 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fi Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300484 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fi\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300483 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\es Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300482 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\es\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300481 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300480 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300479 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\el Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300478 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\el\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300477 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\de Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300476 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\de\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300475 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\da Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300474 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\da\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300473 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\cs Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300472 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\cs\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300471 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ca Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300470 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ca\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300469 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\bg Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300468 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\bg\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300467 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ar Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300466 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ar\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300465 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\manifest.json Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300464 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300463 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300462 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0 Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300461 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_metadata Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300460 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_metadata\verified_contents.json Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300459 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300458 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_TW Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300457 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_TW\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300456 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_CN Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300455 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_CN\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300454 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\vi Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300453 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\vi\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300452 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\uk Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300451 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\uk\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300450 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300449 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300448 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\th Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300447 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\th\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300446 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300445 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300444 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sr Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300443 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sr\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300442 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sl Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300441 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300440 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sk Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300439 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sk\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300438 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ru Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300437 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ru\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300436 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ro Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300435 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ro\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300434 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pt_PT Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300433 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pt_PT\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300432 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pt_BR Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300431 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pt_BR\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300430 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pl Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300429 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\pl\messages.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300428 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\no Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300427 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\no\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300426 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\nl Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300425 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\nl\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300424 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ms Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300423 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ms\messages.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300422 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lv Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300421 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lv\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300420 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lt Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300419 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lt\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300418 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ko Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300417 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ko\messages.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300416 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ja Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300415 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ja\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300414 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\it Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300413 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\it\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300412 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\id Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300411 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\id\messages.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300410 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hu Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300409 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hu\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300408 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hr Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300407 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hr\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300406 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hi Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300405 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hi\messages.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300404 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\he Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300403 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\he\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300402 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fr Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300401 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fr\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300400 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fil Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300399 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fil\messages.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300398 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fi Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300397 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\fi\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300396 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\eu Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300395 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\eu\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300394 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\et Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300393 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\et\messages.json Handle ID: 0x770 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300392 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419 Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300391 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\messages.json Handle ID: 0x774 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300390 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300389 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300388 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\en_US Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300387 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\en_US\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300386 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\en_GB Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300385 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\en_GB\messages.json Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300384 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\el Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300383 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\el\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300382 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\de Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300381 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\de\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300380 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\da Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300379 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\da\messages.json Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300378 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300377 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300376 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300375 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300374 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\bg Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300373 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\bg\messages.json Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300372 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ar Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300371 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ar\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300370 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\manifest.json Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300369 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\128.png Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300368 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300367 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300366 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300365 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\verified_contents.json Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300364 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\computed_hashes.json Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300363 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300362 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\zh_TW Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300361 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\zh_TW\messages.json Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300360 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\zh_CN Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300359 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\zh_CN\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300358 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\vi Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300357 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\vi\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300356 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\uk Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300355 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\uk\messages.json Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300354 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\tr Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300353 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\tr\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300352 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\th Handle ID: 0x768 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300351 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\th\messages.json Handle ID: 0x76c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300350 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sv Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300349 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sv\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300348 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sr Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300347 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sr\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300346 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sl Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300345 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sl\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300344 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sk Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300343 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sk\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300342 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ru Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300341 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ru\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300340 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ro Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300339 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ro\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300338 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pt_PT Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300337 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pt_PT\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300336 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pt_BR Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300335 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pt_BR\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300334 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pl Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300333 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\pl\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300332 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\no Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300331 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\no\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300330 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\nl Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300329 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\nl\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300328 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ms Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300327 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ms\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300326 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\lv Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300325 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\lv\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300324 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\lt Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300323 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\lt\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300322 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ko Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300321 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ko\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300320 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ja Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300319 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ja\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300318 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\it Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300317 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\it\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300316 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\id Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300315 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\id\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300314 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hu Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300313 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hu\messages.json Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300312 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hi Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300311 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hi\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300310 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\he Handle ID: 0x75c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300309 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\he\messages.json Handle ID: 0x760 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300308 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fr Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300307 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fr\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300306 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300305 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300304 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fi Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300303 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fi\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300302 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\et Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300301 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\et\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300300 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\es_419 Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300299 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\es_419\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300298 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\es Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300297 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\es\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300296 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\en_US Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300295 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\en_US\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300294 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\en_GB Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300293 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\en_GB\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300292 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\el Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300291 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\el\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300290 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\de Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300289 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\de\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300288 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\da Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300287 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\da\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300286 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300285 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300284 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ca Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300283 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ca\messages.json Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300282 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\bg Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300281 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\bg\messages.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300280 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ar Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300279 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ar\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300278 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\manifest.json Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300277 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.js Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300276 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.html Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300275 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300274 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_128.png Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300273 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300272 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0 Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300271 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_metadata Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300270 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_metadata\verified_contents.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300269 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_metadata\computed_hashes.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300268 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300267 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_TW Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300266 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_TW\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300265 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300264 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300263 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\vi Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300262 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\vi\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300261 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\uk Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300260 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\uk\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300259 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\tr Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300258 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\tr\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300257 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\th Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300256 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\th\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300255 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sv Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300254 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sv\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300253 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sr Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300252 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sr\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300251 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sl Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300250 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300249 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sk Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300248 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\sk\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300247 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ru Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300246 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ru\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300245 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ro Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300244 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ro\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300243 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_PT Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300242 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_PT\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300241 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_BR Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300240 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_BR\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300239 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pl Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300238 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pl\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300237 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\no Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300236 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\no\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300235 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\nl Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300234 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\nl\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300233 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ms Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300232 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ms\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300231 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lv Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300230 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lv\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300229 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lt Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300228 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lt\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300227 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ko Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300226 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ko\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300225 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ja Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300224 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ja\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300223 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\it Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300222 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\it\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300221 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\id Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300220 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\id\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300219 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\hu Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300218 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\hu\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300217 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\hi Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300216 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\hi\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300215 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\he Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300214 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\he\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300213 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fr Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300212 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fr\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300211 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fil Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300210 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fil\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300209 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fi Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300208 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\fi\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300207 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\et Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300206 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\et\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300205 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\es_419 Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300204 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\es_419\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300203 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\es Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300202 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\es\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300201 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_US Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300200 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_US\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300199 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_GB Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300198 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\en_GB\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300197 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\el Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300196 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\el\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300195 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\de Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300194 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\de\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300193 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\da Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300192 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\da\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300191 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\cs Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300190 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\cs\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300189 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ca Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300188 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ca\messages.json Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300187 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\bg Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300186 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\bg\messages.json Handle ID: 0x750 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300185 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ar Handle ID: 0x74c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300184 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ar\messages.json Handle ID: 0x754 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300183 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\manifest.json Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300182 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.js Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300181 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.html Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300180 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_16.png Handle ID: 0x748 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300179 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_128.png Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300178 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension State Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300177 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001 Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300176 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300175 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300174 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300173 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300172 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300171 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300170 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300169 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300168 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300167 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300166 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Download Service Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300165 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300164 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300163 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300162 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOCK Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300161 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300160 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002 Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300159 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300158 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOCK Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300157 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300156 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000003.log Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300155 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300154 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300153 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300152 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300151 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300150 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300149 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300148 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300147 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300146 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index Handle ID: 0x744 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300145 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300144 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fed64eecd22ee916_0 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300143 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\86c690ca4cd495d4_0 Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300142 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\84087b5e6ca28be9_0 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300141 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\53f670dee1432423_0 Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300140 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\468940aa3a5a81a8_0 Handle ID: 0x740 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300139 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0da6c2c8ca02dac3_0 Handle ID: 0x73c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300138 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300137 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\index Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300136 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300135 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300134 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300133 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300132 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300131 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300130 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300129 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300128 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300127 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300126 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300125 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300124 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300123 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\blob_storage Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300122 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\blob_storage\1c821686-0226-477c-aef9-af38e81955f9 Handle ID: 0x71c Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300121 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Handle ID: 0x708 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;OICIIDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300120 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG Handle ID: 0x674 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=300119 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK Handle ID: 0x6e8 Process Information: Process ID: 0x18e8 Process Name: C:\Windows\System32\dllhost.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;IDSA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1264816779-2202646830-2263137595-513) 09/15/2021 10:28:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=301161 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cf4 New Process Name: C:\Windows\System32\mmc.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x75c Creator Process Name: C:\Windows\explorer.exe Process Command Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284970 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:28:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=301163 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10b0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=301162 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d58 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=301164 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c10 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=301166 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3dc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=301165 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ea0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=301167 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f14 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=301168 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dbc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb94 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301198 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Logon Subcategory: Kerberos Authentication Service Subcategory GUID: {0CCE9242-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301197 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Logon Subcategory: Kerberos Service Ticket Operations Subcategory GUID: {0CCE9240-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301196 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Logon Subcategory: Credential Validation Subcategory GUID: {0CCE923F-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301195 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: DS Access Subcategory: Directory Service Access Subcategory GUID: {0CCE923B-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301194 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Management Subcategory: Security Group Management Subcategory GUID: {0CCE9237-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301193 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Management Subcategory: Computer Account Management Subcategory GUID: {0CCE9236-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301192 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Account Management Subcategory: User Account Management Subcategory GUID: {0CCE9235-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301191 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Policy Change Subcategory: Authentication Policy Change Subcategory GUID: {0CCE9230-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301190 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Policy Change Subcategory: Audit Policy Change Subcategory GUID: {0CCE922F-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301189 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Detailed Tracking Subcategory: Process Creation Subcategory GUID: {0CCE922B-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301188 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: File Share Subcategory GUID: {0CCE9224-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301187 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Network Policy Server Subcategory GUID: {0CCE9243-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301186 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Special Logon Subcategory GUID: {0CCE921B-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301185 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Account Lockout Subcategory GUID: {0CCE9217-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301184 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Logoff Subcategory GUID: {0CCE9216-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301183 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Logon/Logoff Subcategory: Logon Subcategory GUID: {0CCE9215-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301182 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: System Subcategory: Other System Events Subcategory GUID: {0CCE9214-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301181 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: System Subcategory: System Integrity Subcategory GUID: {0CCE9212-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301180 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: System Subcategory: Security State Change Subcategory GUID: {0CCE9210-69AE-11D9-BED3-505054503030} Changes: Success removed 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=301179 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15531C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=301178 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15532BE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=301177 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155330A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=301176 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x15533FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=301175 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=301174 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x155330A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 54624 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=301173 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155330A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=301172 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x15532BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=301171 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15532BE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=301170 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x15531C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {DC27293D-A8AA-BAF0-AE4A-C8C2D98B1E47} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::d04d:7713:2e35:db00 Source Port: 54623 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:28:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=301169 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15531C0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 09/15/2021 10:28:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284971 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: INFO Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 91.220.163.18 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:28:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301199 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Detailed File Share Subcategory GUID: {0CCE9244-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301202 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: File System Subcategory GUID: {0CCE921D-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301201 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:28:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301200 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:28:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284972 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xcf0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284974 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x928 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284973 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb88 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284975 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284977 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x780 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284976 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284978 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x184 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301205 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Handle Manipulation Subcategory GUID: {0CCE9223-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301204 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:28:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301203 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:28:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301208 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Kernel Object Subcategory GUID: {0CCE921F-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:28:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301207 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:28:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301206 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:28:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284979 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADRIEN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 119.18.39.54 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:29:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301211 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Other Object Access Events Subcategory GUID: {0CCE9227-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301210 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301209 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301214 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Registry Subcategory GUID: {0CCE921E-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301213 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301212 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301217 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Removable Storage Subcategory GUID: {0CCE9245-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301216 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301215 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301220 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: SAM Subcategory GUID: {0CCE9220-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301219 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301218 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301223 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Central Policy Staging Subcategory GUID: {0CCE9246-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301222 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301221 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x15533FA Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54625 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301229 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Handle ID: 0x264f8451d60 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301228 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Handle ID: 0x264f844ed40 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301227 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Object Type: SAM_USER Object Name: ATTACKRANGE\Administrator Handle ID: 0x264f844ed40 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadGeneralInformation ReadPreferences WritePreferences ReadLogon ReadAccount WriteAccount ChangePassword (with knowledge of old password) SetPassword (without knowledge of old password) ListGroups Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {bf967aba-0de6-11d0-a285-00aa003049e2} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadGeneralInformation ReadPreferences WritePreferences ReadLogon ReadAccount WriteAccount ChangePassword (with knowledge of old password) SetPassword (without knowledge of old password) ListGroups {59ba2f42-79a2-11d0-9020-00c04fc2d3cf} {bf967938-0de6-11d0-a285-00aa003049e2} {5fd42471-1262-11d0-a060-00aa006c33ed} {bf9679e8-0de6-11d0-a285-00aa003049e2} {bf967a00-0de6-11d0-a285-00aa003049e2} {3e0abfd0-126a-11d0-a060-00aa006c33ed} {bf967a6a-0de6-11d0-a285-00aa003049e2} {bf967953-0de6-11d0-a285-00aa003049e2} {4c164200-20c0-11d0-a768-00aa006e0529} {bf967915-0de6-11d0-a285-00aa003049e2} {bf967a0a-0de6-11d0-a285-00aa003049e2} {bf967a68-0de6-11d0-a285-00aa003049e2} {bf967a6d-0de6-11d0-a285-00aa003049e2} {5f202010-79a5-11d0-9020-00c04fc2d4cf} {bf96792e-0de6-11d0-a285-00aa003049e2} {bf967985-0de6-11d0-a285-00aa003049e2} {bf967986-0de6-11d0-a285-00aa003049e2} {bf967996-0de6-11d0-a285-00aa003049e2} {bf967997-0de6-11d0-a285-00aa003049e2} {bf9679aa-0de6-11d0-a285-00aa003049e2} {bf9679ab-0de6-11d0-a285-00aa003049e2} {bf9679ac-0de6-11d0-a285-00aa003049e2} {bf967a05-0de6-11d0-a285-00aa003049e2} {bf9679a8-0de6-11d0-a285-00aa003049e2} {e48d0154-bcf8-11d1-8702-00c04fb96050} {bf967950-0de6-11d0-a285-00aa003049e2} {bc0ac240-79a9-11d0-9020-00c04fc2d4cf} {bf967991-0de6-11d0-a285-00aa003049e2} {ab721a53-1e2f-11d0-9819-00aa0040529b} {00299570-246d-11d0-a768-00aa006e0529} {7ed84960-ad10-11d0-8a92-00aa006e0529} Restricted SID Count: 0 09/15/2021 10:29:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301226 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Handle ID: 0x264f8450080 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301225 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Object Type: SAM_USER Object Name: ATTACKRANGE\Administrator Handle ID: 0x264f8450080 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadGeneralInformation ReadPreferences WritePreferences ReadLogon ReadAccount WriteAccount ChangePassword (with knowledge of old password) SetPassword (without knowledge of old password) ListGroups Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {bf967aba-0de6-11d0-a285-00aa003049e2} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadGeneralInformation ReadPreferences WritePreferences ReadLogon ReadAccount WriteAccount ChangePassword (with knowledge of old password) SetPassword (without knowledge of old password) ListGroups {59ba2f42-79a2-11d0-9020-00c04fc2d3cf} {bf967938-0de6-11d0-a285-00aa003049e2} {5fd42471-1262-11d0-a060-00aa006c33ed} {bf9679e8-0de6-11d0-a285-00aa003049e2} {bf967a00-0de6-11d0-a285-00aa003049e2} {3e0abfd0-126a-11d0-a060-00aa006c33ed} {bf967a6a-0de6-11d0-a285-00aa003049e2} {bf967953-0de6-11d0-a285-00aa003049e2} {4c164200-20c0-11d0-a768-00aa006e0529} {bf967915-0de6-11d0-a285-00aa003049e2} {bf967a0a-0de6-11d0-a285-00aa003049e2} {bf967a68-0de6-11d0-a285-00aa003049e2} {bf967a6d-0de6-11d0-a285-00aa003049e2} {5f202010-79a5-11d0-9020-00c04fc2d4cf} {bf96792e-0de6-11d0-a285-00aa003049e2} {bf967985-0de6-11d0-a285-00aa003049e2} {bf967986-0de6-11d0-a285-00aa003049e2} {bf967996-0de6-11d0-a285-00aa003049e2} {bf967997-0de6-11d0-a285-00aa003049e2} {bf9679aa-0de6-11d0-a285-00aa003049e2} {bf9679ab-0de6-11d0-a285-00aa003049e2} {bf9679ac-0de6-11d0-a285-00aa003049e2} {bf967a05-0de6-11d0-a285-00aa003049e2} {bf9679a8-0de6-11d0-a285-00aa003049e2} {e48d0154-bcf8-11d1-8702-00c04fb96050} {bf967950-0de6-11d0-a285-00aa003049e2} {bc0ac240-79a9-11d0-9020-00c04fc2d4cf} {bf967991-0de6-11d0-a285-00aa003049e2} {ab721a53-1e2f-11d0-9819-00aa0040529b} {00299570-246d-11d0-a768-00aa006e0529} {7ed84960-ad10-11d0-8a92-00aa006e0529} Restricted SID Count: 0 09/15/2021 10:29:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301224 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: DC=attackrange,DC=local Handle ID: 0x264f8451d60 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301241 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155E97F Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54658 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301240 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155E97F Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54658 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit Access Request Information: Access Mask: 0x100081 Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Check Results: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301239 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155E97F Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54658 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Access Request Information: Access Mask: 0x80 Accesses: ReadAttributes Access Check Results: ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=301238 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155E97F Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54658 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301237 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Audit Policy Change: Category: Object Access Subcategory: Filtering Platform Connection Subcategory GUID: {0CCE9226-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301236 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Audit Policy Change: Category: Object Access Subcategory: Filtering Platform Packet Drop Subcategory GUID: {0CCE9225-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301235 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Audit Policy Change: Category: Object Access Subcategory: Application Generated Subcategory GUID: {0CCE9222-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301234 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Audit Policy Change: Category: Object Access Subcategory: Certification Services Subcategory GUID: {0CCE9221-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301233 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Account Manager Handle ID: 0x264f8451890 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301232 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Account Manager Handle ID: 0x264f8450080 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301231 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: CN=Builtin,DC=attackrange,DC=local Handle ID: 0x264f8451890 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0 09/15/2021 10:29:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301230 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: DC=attackrange,DC=local Handle ID: 0x264f8450080 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0 09/15/2021 10:29:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5152 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Packet Drop OpCode=Info RecordNumber=301242 Keywords=Audit Failure Message=The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: Inbound Source Address: 10.0.1.12 Source Port: 8089 Destination Address: 10.0.1.14 Destination Port: 54644 Protocol: 6 Filter Information: Filter Run-Time ID: 88850 Layer Name: Transport Layer Run-Time ID: 13 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301262 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301261 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301260 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301259 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301258 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301257 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155F566 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54663 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301256 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155F566 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54663 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit Access Request Information: Access Mask: 0x100081 Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Check Results: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301255 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155F566 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54663 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Access Request Information: Access Mask: 0x80 Accesses: ReadAttributes Access Check Results: ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=301254 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x155F566 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54663 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301253 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54663 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301252 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54663 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301251 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 4 Application Name: System Network Information: Source Address: :: Source Port: 54663 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301250 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Audit Policy Change: Category: DS Access Subcategory: Detailed Directory Service Replication Subcategory GUID: {0CCE923E-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301249 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Audit Policy Change: Category: DS Access Subcategory: Directory Service Replication Subcategory GUID: {0CCE923D-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301248 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Audit Policy Change: Category: DS Access Subcategory: Directory Service Changes Subcategory GUID: {0CCE923C-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301247 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Audit Policy Change: Category: DS Access Subcategory: Directory Service Access Subcategory GUID: {0CCE923B-69AE-11D9-BED3-505054503030} Changes: Success Added, Failure added 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301246 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Account Manager Handle ID: 0x264f8450ef0 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301245 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Account Manager Handle ID: 0x264f844f210 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301244 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: CN=Builtin,DC=attackrange,DC=local Handle ID: 0x264f8450ef0 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0 09/15/2021 10:29:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301243 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: DC=attackrange,DC=local Handle ID: 0x264f844f210 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301283 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301282 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301281 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301280 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301279 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301278 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301277 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301276 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301275 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301274 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301273 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301272 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301271 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301270 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301269 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301268 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301267 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301266 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301265 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301264 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2508 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301263 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2508 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301306 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301305 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301304 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301303 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301302 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301301 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301300 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301299 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301298 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301297 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301296 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301295 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301294 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301293 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301292 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301291 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301290 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301289 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301288 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301287 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301286 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301285 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301284 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301308 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 3980 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 54664 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 88246 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301307 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 3980 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 54664 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284980 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x99c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301377 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301376 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301375 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301374 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301373 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301372 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301371 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301370 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301369 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301368 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301367 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301366 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301365 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301364 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301363 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301362 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301361 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301360 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301359 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301358 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301357 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301356 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301355 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301354 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301353 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301352 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301351 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301350 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301349 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301348 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301347 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301346 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301345 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301344 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301343 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301342 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301341 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301340 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301339 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301338 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301337 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301336 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x26c8 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301335 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x26c8 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA) SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA) ReadEA: Granted by D:(A;;0x1200a9;;;BA) ReadAttributes: Granted by D:(A;;0x1200a9;;;BA) Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301334 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xbe4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301333 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x26c8 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xbe4 Target Process ID: 0x4 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301332 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301331 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301330 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301329 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301328 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301327 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301326 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301325 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301324 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301323 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301322 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301321 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301320 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301319 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301318 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301317 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301316 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301315 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301314 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301313 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301312 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301311 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301310 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301309 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301447 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301446 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301445 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301444 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301443 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301442 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301441 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301440 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301439 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301438 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301437 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301436 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301435 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301434 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301433 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301432 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301431 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301430 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301429 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301428 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301427 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301426 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301425 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301424 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301423 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301422 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301421 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301420 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301419 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301418 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301417 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301416 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301415 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301414 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301413 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301412 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301411 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301410 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301409 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301408 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301407 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301406 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301405 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301404 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301403 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301402 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301401 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301400 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301399 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301398 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301397 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301396 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301395 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301394 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301393 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301392 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301391 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301390 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301389 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301388 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301387 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301386 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301385 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301384 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301383 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301382 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301381 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301380 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301379 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301378 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284982 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:29:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284981 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301496 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301495 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301494 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301493 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2508 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301492 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301491 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301490 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301489 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301488 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301487 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301486 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301485 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301484 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301483 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301482 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301481 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301480 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301479 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301478 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301477 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301476 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301475 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301474 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301473 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301472 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301471 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301470 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301469 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301468 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301467 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301466 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301465 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301464 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301463 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301462 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301461 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301460 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301459 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301458 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301457 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301456 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301455 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301454 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301453 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301452 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301451 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301450 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5152 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Packet Drop OpCode=Info RecordNumber=301449 Keywords=Audit Failure Message=The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: Inbound Source Address: 45.146.164.225 Source Port: 50305 Destination Address: 10.0.1.14 Destination Port: 3389 Protocol: 6 Filter Information: Filter Run-Time ID: 88850 Layer Name: Transport Layer Run-Time ID: 13 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301448 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 308 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 45.146.164.225 Source Port: 50305 Destination Address: 10.0.1.14 Destination Port: 3389 Protocol: 6 Filter Information: Filter Run-Time ID: 66836 Layer Name: Receive/Accept Layer Run-Time ID: 44 09/15/2021 10:29:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284983 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf2c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301530 Keywords=Audit Failure Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gpedit.msc Handle ID: 0x0 Resource Attributes: - Process Information: Process ID: 0x16c0 Process Name: C:\Windows\System32\mmc.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA) SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA) WriteData (or AddFile): Not granted AppendData (or AddSubdirectory or CreatePipeInstance): Not granted WriteEA: Not granted ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA) WriteAttributes: Not granted Access Mask: 0x120196 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301529 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x370 Process Information: Process ID: 0x153c Process Name: C:\Windows\System32\cmd.exe 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301528 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x370 Resource Attributes: - Process Information: Process ID: 0x153c Process Name: C:\Windows\System32\cmd.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA) SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA) ReadEA: Granted by D:(A;;0x1200a9;;;BA) ReadAttributes: Granted by D:(A;;0x1200a9;;;BA) Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301527 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xe8c Process Information: Process ID: 0x153c Process Name: C:\Windows\System32\cmd.exe 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301526 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x370 Source Process ID: 0x153c New Handle Information: Target Handle ID: 0xe8c Target Process ID: 0x4 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301525 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301524 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301523 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301522 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301521 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301520 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301519 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301518 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301517 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301516 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301515 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301514 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301513 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301512 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301511 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301510 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301509 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301508 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301507 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301506 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301505 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301504 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301503 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301502 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301501 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301500 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301499 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301498 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301497 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284984 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301588 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301587 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301586 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301585 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301584 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301583 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301582 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301581 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301580 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301579 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301578 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301577 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301576 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301575 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301574 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301573 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301572 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301571 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301570 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301569 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301568 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301567 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301566 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301565 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301564 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301563 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301562 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301561 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301560 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301559 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301558 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301557 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301556 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301555 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301554 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301553 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301552 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301551 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301550 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301549 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301548 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301547 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301546 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301545 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301544 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301543 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301542 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301541 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301540 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301539 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301538 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301537 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301536 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301535 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301534 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301533 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301532 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301531 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284985 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf00 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301643 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301642 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301641 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301640 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301639 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301638 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301637 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301636 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301635 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301634 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301633 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301632 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301631 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301630 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301629 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301628 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301627 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301626 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301625 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301624 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301623 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301622 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301621 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301620 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301619 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301618 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301617 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301616 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301615 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301614 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301613 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301612 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301611 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301610 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301609 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301608 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301607 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301606 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301605 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301604 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301603 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301602 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301601 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301600 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301599 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301598 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301597 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301596 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301595 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301594 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301593 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301592 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301591 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284987 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x5c0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284986 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf88 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301590 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 3980 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 54665 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 88246 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301589 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 3980 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 54665 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301701 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301700 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301699 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301698 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301697 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301696 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301695 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301694 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301693 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301692 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301691 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301690 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301689 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301688 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301687 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301686 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301685 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301684 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301683 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301682 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301681 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301680 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301679 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301678 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301677 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301676 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301675 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301674 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301673 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301672 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301671 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301670 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301669 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301668 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301667 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301666 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301665 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301664 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301663 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301662 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301661 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301660 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301659 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301658 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301657 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301656 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301655 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301654 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301653 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301652 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301651 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301650 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301649 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301648 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301647 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301646 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301645 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301644 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301749 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301748 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301747 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301746 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301745 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301744 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301743 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301742 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301741 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301740 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301739 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301738 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301737 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301736 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301735 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301734 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301733 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301732 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301731 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301730 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301729 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301728 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301727 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301726 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301725 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301724 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301723 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301722 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301721 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301720 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301719 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301718 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301717 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301716 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301715 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301714 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301713 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301712 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301711 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301710 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301709 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301708 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301707 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301706 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301705 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301704 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301703 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301702 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301827 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: DS Access Subcategory: Detailed Directory Service Replication Subcategory GUID: {0CCE923E-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301826 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: DS Access Subcategory: Directory Service Replication Subcategory GUID: {0CCE923D-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301825 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: DS Access Subcategory: Directory Service Changes Subcategory GUID: {0CCE923C-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301824 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: DS Access Subcategory: Directory Service Access Subcategory GUID: {0CCE923B-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301823 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Filtering Platform Connection Subcategory GUID: {0CCE9226-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301822 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Filtering Platform Packet Drop Subcategory GUID: {0CCE9225-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301821 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Application Generated Subcategory GUID: {0CCE9222-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4719 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Audit Policy Change OpCode=Info RecordNumber=301820 Keywords=Audit Success Message=System audit policy was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Audit Policy Change: Category: Object Access Subcategory: Certification Services Subcategory GUID: {0CCE9221-69AE-11D9-BED3-505054503030} Changes: Success removed, Failure removed 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301819 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Handle ID: 0x264f844f210 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=301818 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Handle ID: 0x264f8451890 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301817 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: CN=Builtin,DC=attackrange,DC=local Handle ID: 0x264f844f210 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4661 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=SAM OpCode=Info RecordNumber=301816 Keywords=Audit Success Message=A handle to an object was requested. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: DC=attackrange,DC=local Handle ID: 0x264f8451890 Process Information: Process ID: 0x278 Process Name: C:\Windows\System32\lsass.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Access Reasons: - Access Mask: 0xF01FF Privileges Used for Access Check: - Properties: --- {19195a5a-6da0-11d0-afd3-00c04fd930c9} DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts {c7407360-20bf-11d0-a768-00aa006e0529} {bf9679a4-0de6-11d0-a285-00aa003049e2} {bf9679a5-0de6-11d0-a285-00aa003049e2} {bf9679a6-0de6-11d0-a285-00aa003049e2} {bf9679bb-0de6-11d0-a285-00aa003049e2} {bf9679c2-0de6-11d0-a285-00aa003049e2} {bf9679c3-0de6-11d0-a285-00aa003049e2} {bf967a09-0de6-11d0-a285-00aa003049e2} {bf967a0b-0de6-11d0-a285-00aa003049e2} {b8119fd0-04f6-4762-ab7a-4986c76b3f9a} {bf967a34-0de6-11d0-a285-00aa003049e2} {bf967a33-0de6-11d0-a285-00aa003049e2} {bf9679c5-0de6-11d0-a285-00aa003049e2} {bf967a61-0de6-11d0-a285-00aa003049e2} {bf967977-0de6-11d0-a285-00aa003049e2} {bf96795e-0de6-11d0-a285-00aa003049e2} {bf9679ea-0de6-11d0-a285-00aa003049e2} {ab721a52-1e2f-11d0-9819-00aa0040529b} Restricted SID Count: 0 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301815 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301814 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301813 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301812 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301811 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301810 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301809 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301808 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301807 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301806 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301805 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301804 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301803 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301802 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301801 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301800 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301799 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301798 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301797 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301796 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301795 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301794 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301793 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301792 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301791 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301790 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301789 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301788 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301787 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301786 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301785 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301784 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301783 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301782 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301781 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301780 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301779 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301778 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301777 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301776 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301775 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301774 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2964 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49700 Destination Address: 10.0.1.12 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 88250 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301773 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301772 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301771 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301770 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301769 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm Access Request Information: Access Mask: 0x100081 Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Check Results: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301768 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301767 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=301766 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=301765 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x1564FC8 Network Information: Object Type: File Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301764 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301763 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54670 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301762 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 4 Application Name: System Network Information: Source Address: :: Source Port: 54670 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301761 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 632 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.14 Source Port: 54669 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65787 Layer Name: Receive/Accept Layer Run-Time ID: 44 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301760 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 54669 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65789 Layer Name: Connect Layer Run-Time ID: 48 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301759 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 54669 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301758 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 632 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54668 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301757 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54668 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301756 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 54668 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301755 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 632 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54667 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301754 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 632 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Outbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54667 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301753 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 632 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: :: Source Port: 54667 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301752 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 912 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54666 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301751 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 632 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Outbound Source Address: fe80::d04d:7713:2e35:db00 Source Port: 54666 Destination Address: fe80::d04d:7713:2e35:db00 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 09/15/2021 10:29:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=301750 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 632 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: :: Source Port: 54666 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301886 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1738 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301885 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301884 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301883 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301882 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xf4c Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301881 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1738 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xf4c Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301880 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1738 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301879 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301878 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301877 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301876 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xf4c Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301875 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1738 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xf4c Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301874 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2a14 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301873 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2a14 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301872 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xecc Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301871 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2a14 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xecc Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301870 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2a14 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301869 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2a14 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301868 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xecc Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301867 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2a14 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xecc Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301866 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2a14 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301865 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2a14 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301864 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xecc Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301863 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2a14 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xecc Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301862 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2a14 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301861 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2a14 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301860 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xecc Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301859 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2a14 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xecc Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301858 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1738 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301857 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301856 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301855 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301854 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xf4c Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301853 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1738 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xf4c Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301852 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1738 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301851 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301850 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301849 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1738 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301848 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xf4c Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301847 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1738 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xf4c Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301846 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x9d4 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301845 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x9d4 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301844 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x9d4 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301843 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xf34 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301842 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x9d4 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xf34 Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301841 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2474 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301840 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0xcc8 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301839 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0xcc8 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301838 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0xcc8 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301837 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xf34 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301836 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0xcc8 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xf34 Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301835 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2474 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301834 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2474 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301833 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xec4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301832 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2474 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xec4 Target Process ID: 0x4 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301831 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xcc8 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301830 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0xcc8 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadEA: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301829 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xf34 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301828 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0xcc8 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xf34 Target Process ID: 0x4 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301911 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2500 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301910 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Handle ID: 0x2500 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301909 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Handle ID: 0x2500 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301908 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xcc4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301907 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2500 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xcc4 Target Process ID: 0x4 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301906 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2500 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301905 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Handle ID: 0x2500 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301904 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Handle ID: 0x2500 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301903 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xcc4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301902 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2500 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xcc4 Target Process ID: 0x4 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301901 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x24d8 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301900 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_and_features_store Handle ID: 0x24d8 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301899 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_and_features_store Handle ID: 0x24d8 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301898 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xec4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301897 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x24d8 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xec4 Target Process ID: 0x4 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301896 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x15d4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301895 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Handle ID: 0x15d4 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301894 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Handle ID: 0x15d4 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301893 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xec4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301892 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x15d4 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xec4 Target Process ID: 0x4 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301891 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x15d4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301890 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage Handle ID: 0x15d4 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301889 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage Handle ID: 0x15d4 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301888 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xec4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301887 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x15d4 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xec4 Target Process ID: 0x4 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301923 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x24d4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301922 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x24d4 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301921 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x24d4 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301920 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x24d4 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301919 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xedc Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301918 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x24d4 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xedc Target Process ID: 0x4 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301917 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x24d4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301916 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x24d4 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301915 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x24d4 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301914 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x24d4 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301913 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xedc Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301912 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x24d4 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xedc Target Process ID: 0x4 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301938 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x498 Process Information: Process ID: 0x64 Process Name: C:\Windows\System32\rdpclip.exe 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301937 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x498 Resource Attributes: S:AI Process Information: Process ID: 0x64 Process Name: C:\Windows\System32\rdpclip.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301936 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x498 Resource Attributes: - Process Information: Process ID: 0x64 Process Name: C:\Windows\System32\rdpclip.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;;FA;;;BA) ReadEA: Granted by D:(A;;FA;;;BA) ReadAttributes: Granted by D:(A;;FA;;;BA) Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301935 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xfec Process Information: Process ID: 0x64 Process Name: C:\Windows\System32\rdpclip.exe 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301934 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x498 Source Process ID: 0x64 New Handle Information: Target Handle ID: 0xfec Target Process ID: 0x4 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301933 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1d38 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301932 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x1d38 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301931 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x1d38 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL Access Reasons: READ_CONTROL: Granted by Ownership Access Mask: 0x20000 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301930 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xfec Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301929 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1d38 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xfec Target Process ID: 0x4 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301928 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1d38 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301927 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x1d38 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301926 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x1d38 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL Access Reasons: READ_CONTROL: Granted by Ownership Access Mask: 0x20000 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301925 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xfec Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301924 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1d38 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xfec Target Process ID: 0x4 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301982 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1548 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301981 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1548 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301980 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xd28 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301979 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1548 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xd28 Target Process ID: 0x4 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301978 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1548 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301977 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1548 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301976 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xd28 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301975 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1548 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xd28 Target Process ID: 0x4 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301974 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1548 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301973 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1548 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301972 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xd28 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301971 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1548 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xd28 Target Process ID: 0x4 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301970 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1548 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301969 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x1548 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100080 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301968 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xd28 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301967 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1548 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xd28 Target Process ID: 0x4 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301966 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2850 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301965 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2850 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301964 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2850 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301963 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xd28 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301962 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2850 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xd28 Target Process ID: 0x4 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301961 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x878 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301960 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x878 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301959 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x878 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) ReadAttributes: Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100081 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301958 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xd28 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301957 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x878 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xd28 Target Process ID: 0x4 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301956 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1528 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301955 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1548 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301954 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x1548 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301953 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1548 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0x1528 Target Process ID: 0x75c 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301952 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1528 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301951 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x1528 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301950 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1548 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0x1528 Target Process ID: 0x75c 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301949 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x1548 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301948 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x1548 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;;FA;;;BA) ReadEA: Granted by D:(A;;FA;;;BA) ReadAttributes: Granted by D:(A;;FA;;;BA) Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301947 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xfb8 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301946 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1548 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xfb8 Target Process ID: 0x4 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301945 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x9d4 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301944 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xcc8 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301943 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2690 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301942 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2690 Resource Attributes: S:AI Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301941 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default Handle ID: 0x2690 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: SYNCHRONIZE: Granted by D:(A;OICI;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;OICI;FA;;;BA) Access Mask: 0x100001 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301940 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xc50 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301939 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x2690 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xc50 Target Process ID: 0x4 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302004 Keywords=Audit Failure Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\eventvwr.msc Handle ID: 0x0 Resource Attributes: - Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA) SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA) WriteData (or AddFile): Not granted AppendData (or AddSubdirectory or CreatePipeInstance): Not granted WriteEA: Not granted ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA) WriteAttributes: Not granted Access Mask: 0x120196 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302003 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x430 Process Information: Process ID: 0x64 Process Name: C:\Windows\System32\rdpclip.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302002 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x430 Resource Attributes: S:AI Process Information: Process ID: 0x64 Process Name: C:\Windows\System32\rdpclip.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302001 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies Handle ID: 0x430 Resource Attributes: - Process Information: Process ID: 0x64 Process Name: C:\Windows\System32\rdpclip.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;;FA;;;BA) ReadEA: Granted by D:(A;;FA;;;BA) ReadAttributes: Granted by D:(A;;FA;;;BA) Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302000 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xdb8 Process Information: Process ID: 0x64 Process Name: C:\Windows\System32\rdpclip.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301999 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x430 Source Process ID: 0x64 New Handle Information: Target Handle ID: 0xdb8 Target Process ID: 0x4 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301998 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x368 Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301997 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates Handle ID: 0x368 Resource Attributes: - Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Access Reasons: - Access Mask: 0x3001F Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301996 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xfa8 Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301995 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x368 Source Process ID: 0xdd8 New Handle Information: Target Handle ID: 0xfa8 Target Process ID: 0x4 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301994 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x364 Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301993 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates Handle ID: 0x364 Resource Attributes: - Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Access Reasons: - Access Mask: 0x3001F Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301992 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xfa8 Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301991 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x364 Source Process ID: 0xdd8 New Handle Information: Target Handle ID: 0xfa8 Target Process ID: 0x4 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301990 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x360 Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301989 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates Handle ID: 0x360 Resource Attributes: - Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Access Reasons: - Access Mask: 0x3001F Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=301988 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xfa8 Process Information: Process ID: 0xdd8 Process Name: C:\Windows\System32\mmc.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301987 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x360 Source Process ID: 0xdd8 New Handle Information: Target Handle ID: 0xfa8 Target Process ID: 0x4 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301986 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x1c70 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301985 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x1c70 Resource Attributes: - Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA) SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA) ReadEA: Granted by D:(A;;0x1200a9;;;BA) ReadAttributes: Granted by D:(A;;0x1200a9;;;BA) Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=301984 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xd54 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=301983 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x1c70 Source Process ID: 0x75c New Handle Information: Target Handle ID: 0xd54 Target Process ID: 0x4 09/15/2021 10:30:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302009 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Handle ID: 0x2b8 Process Information: Process ID: 0x1c84 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 09/15/2021 10:30:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302008 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Object Type: Process Object Name: \Device\HarddiskVolume1\Windows\System32\lsass.exe Handle ID: 0x2b8 Resource Attributes: - Process Information: Process ID: 0x1c84 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Access Request Information: Accesses: Read from process memory Access Mask: 0x10 09/15/2021 10:30:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302007 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Object Type: Process Object Name: \Device\HarddiskVolume1\Windows\System32\lsass.exe Handle ID: 0x2b8 Resource Attributes: - Process Information: Process ID: 0x1c84 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Read from process memory Query process information Undefined Access (no effect) Bit 12 Access Reasons: - Access Mask: 0x1410 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:30:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302006 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Handle ID: 0xfa0 Process Information: Process ID: 0x1c84 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 09/15/2021 10:30:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302005 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Source Handle Information: Source Handle ID: 0x2b8 Source Process ID: 0x1c84 New Handle Information: Target Handle ID: 0xfa0 Target Process ID: 0x4 09/15/2021 10:30:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302011 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x2850 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302010 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x878 Process Information: Process ID: 0x75c Process Name: C:\Windows\explorer.exe 09/15/2021 10:30:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284988 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb0c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:30:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284990 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x9fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:30:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284989 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x42c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:30:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284991 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xa30 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:30:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284993 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc58 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:30:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284992 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x848 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:30:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284994 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x354 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:31:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284995 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 84.242.35.58 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302021 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Handle ID: 0x5d0 Process Information: Process ID: 0xc50 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302020 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Object Type: Process Object Name: \Device\HarddiskVolume1\Windows\System32\lsass.exe Handle ID: 0x5d0 Resource Attributes: - Process Information: Process ID: 0xc50 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Access Request Information: Accesses: Read from process memory Access Mask: 0x10 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302019 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Object Type: Process Object Name: \Device\HarddiskVolume1\Windows\System32\lsass.exe Handle ID: 0x5d0 Resource Attributes: - Process Information: Process ID: 0xc50 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Read from process memory Query process information Undefined Access (no effect) Bit 12 Access Reasons: - Access Mask: 0x1410 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302018 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Handle ID: 0xf9c Process Information: Process ID: 0xc50 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302017 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Source Handle Information: Source Handle ID: 0x5d0 Source Process ID: 0xc50 New Handle Information: Target Handle ID: 0xf9c Target Process ID: 0x4 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302016 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Handle ID: 0x340 Process Information: Process ID: 0x1698 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302015 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Object Type: Process Object Name: \Device\HarddiskVolume1\Windows\System32\lsass.exe Handle ID: 0x340 Resource Attributes: - Process Information: Process ID: 0x1698 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Access Request Information: Accesses: Read from process memory Access Mask: 0x10 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302014 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Object Type: Process Object Name: \Device\HarddiskVolume1\Windows\System32\lsass.exe Handle ID: 0x340 Resource Attributes: - Process Information: Process ID: 0x1698 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Read from process memory Query process information Undefined Access (no effect) Bit 12 Access Reasons: - Access Mask: 0x1410 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302013 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Object: Object Server: Security Handle ID: 0xdf0 Process Information: Process ID: 0x1698 Process Name: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 09/15/2021 10:31:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302012 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-55$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Source Handle Information: Source Handle ID: 0x340 Source Process ID: 0x1698 New Handle Information: Target Handle ID: 0xdf0 Target Process ID: 0x4 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302038 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x390 Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302037 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates Handle ID: 0x390 Resource Attributes: - Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Access Reasons: - Access Mask: 0x3001F Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302036 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xe94 Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302035 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x390 Source Process ID: 0x1d30 New Handle Information: Target Handle ID: 0xe94 Target Process ID: 0x4 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302034 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x38c Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302033 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates Handle ID: 0x38c Resource Attributes: - Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Access Reasons: - Access Mask: 0x3001F Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302032 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xe94 Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302031 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x38c Source Process ID: 0x1d30 New Handle Information: Target Handle ID: 0xe94 Target Process ID: 0x4 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302030 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x388 Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302029 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates Handle ID: 0x388 Resource Attributes: - Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Access Reasons: - Access Mask: 0x3001F Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Registry OpCode=Info RecordNumber=302028 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xe94 Process Information: Process ID: 0x1d30 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302027 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x388 Source Process ID: 0x1d30 New Handle Information: Target Handle ID: 0xe94 Target Process ID: 0x4 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302026 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x288 Process Information: Process ID: 0xa78 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302025 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: Process Object Name: \Device\HarddiskVolume1\Windows\System32\lsass.exe Handle ID: 0x288 Resource Attributes: - Process Information: Process ID: 0xa78 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Access Request Information: Accesses: Read from process memory Access Mask: 0x10 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302024 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: Process Object Name: \Device\HarddiskVolume1\Windows\System32\lsass.exe Handle ID: 0x288 Resource Attributes: - Process Information: Process ID: 0xa78 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Read from process memory Query process information Undefined Access (no effect) Bit 12 Access Reasons: - Access Mask: 0x1410 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Kernel Object OpCode=Info RecordNumber=302023 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x858 Process Information: Process ID: 0xa78 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 09/15/2021 10:31:21 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302022 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x288 Source Process ID: 0xa78 New Handle Information: Target Handle ID: 0x858 Target Process ID: 0x4 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302047 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x5f4 Process Information: Process ID: 0x1d14 Process Name: C:\Temp\jssloader.exe 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302046 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History Handle ID: 0x5f4 Resource Attributes: S:AI Process Information: Process ID: 0x1d14 Process Name: C:\Temp\jssloader.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302045 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0x61c Process Information: Process ID: 0x1d14 Process Name: C:\Temp\jssloader.exe 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302044 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History Handle ID: 0x61c Resource Attributes: S:AI Process Information: Process ID: 0x1d14 Process Name: C:\Temp\jssloader.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302043 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x5f4 Source Process ID: 0x1d14 New Handle Information: Target Handle ID: 0x61c Target Process ID: 0x1d14 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4663 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302042 Keywords=Audit Success Message=An attempt was made to access an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History Handle ID: 0x5f4 Resource Attributes: S:AI Process Information: Process ID: 0x1d14 Process Name: C:\Temp\jssloader.exe Access Request Information: Accesses: ReadAttributes Access Mask: 0x80 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4656 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302041 Keywords=Audit Success Message=A handle to an object was requested. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History Handle ID: 0x5f4 Resource Attributes: - Process Information: Process ID: 0x1d14 Process Name: C:\Temp\jssloader.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;FA;;;BA) ReadData (or ListDirectory): Granted by D:(A;;FA;;;BA) ReadEA: Granted by D:(A;;FA;;;BA) ReadAttributes: Granted by D:(A;;FA;;;BA) Access Mask: 0x120089 Privileges Used for Access Check: - Restricted SID Count: 0 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4658 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=File System OpCode=Info RecordNumber=302040 Keywords=Audit Success Message=The handle to an object was closed. Subject : Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Object: Object Server: Security Handle ID: 0xfa8 Process Information: Process ID: 0x1d14 Process Name: C:\Temp\jssloader.exe 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4690 EventType=0 Type=Information ComputerName=win-dc-55.attackrange.local TaskCategory=Handle Manipulation OpCode=Info RecordNumber=302039 Keywords=Audit Success Message=An attempt was made to duplicate a handle to an object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0x1332212 Source Handle Information: Source Handle ID: 0x5f4 Source Process ID: 0x1d14 New Handle Information: Target Handle ID: 0xfa8 Target Process ID: 0x4 09/15/2021 10:31:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=284996 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMIN Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 185.202.2.147 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 09/15/2021 10:31:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284997 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb80 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:31:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284999 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:31:50 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=284998 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb78 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:31:52 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=285000 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x9e4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 09/15/2021 10:31:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-590.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=285001 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-590$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xd10 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.