23542300x800000000000000036495953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:33.238{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB30A34BB33A66DEE7206A5866C5E39B,SHA256=233C6A8E9C0F8E55C61FC48B4175C4650FCA17CF19813DD38CF2416A6DF68E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036495955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:03.998{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50351-false10.0.1.12-8089- 23542300x800000000000000036495954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:34.256{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B40AC5302DFDEB9BAE2A6E29D72E26,SHA256=8C6557FBD5E3D19A4184DB62CDFDE337755A47CC7B70823389D36CDD103D495D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:35.917{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=59965A32C79A16FEE8C63C6951D3F981,SHA256=6EA527B472D187243D23BADB631C301608F35B1A245F57D14DE0F9B9CAE5196D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:35.271{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46DAE45B236FC3414E0B7D25782CF0B,SHA256=4DA470F45B14949F117459CBBC49725615B6E2E161590A0877E1BF89700953D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036495959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:05.734{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50352-false10.0.1.12-8000- 23542300x800000000000000036495958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:36.286{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699C358486E8028C8D005E11BC0690D7,SHA256=DF59C1908D7C550E7FFDF26A39C04D4AF278B098BE5B8B5BFCF9679EDEBCBDAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036495970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F11-6140-4856-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F11-6140-4856-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036495964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.842{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F11-6140-4856-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036495963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.837{B81B27B7-9F11-6140-4856-04000000C801}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036495962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:06.449{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50353-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 13241300x800000000000000036495961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:09:37.536{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a969-0xc52bf434) 23542300x800000000000000036495960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:37.290{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D5F2537A53893CF0F8A9DE93C66277,SHA256=1050602121F7AF131BCA135714DBA2EA70B855BA546BCA4069B7DAC7A85DEB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036495981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.706{B81B27B7-9F12-6140-4956-04000000C801}67686736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F12-6140-4956-04000000C801}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F12-6140-4956-04000000C801}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036495974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.541{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F12-6140-4956-04000000C801}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036495973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.520{B81B27B7-9F12-6140-4956-04000000C801}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036495972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.304{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F00B377306AC0A76663922C4DA8EA1,SHA256=B229C71175B0072A4AB16E12335029B8F7870AC6FE8C739AB333F0FBCA92C876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036495971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:38.005{B81B27B7-9F11-6140-4856-04000000C801}23482340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036495992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.328{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB149B12E53AD1CD342CB3A04F1DE3C,SHA256=59FEC82372D351C9B9E161672E358AF5F71BE51D9E2EEAD757D8512F8458AA4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036495991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F13-6140-4A56-04000000C801}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F13-6140-4A56-04000000C801}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036495985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.150{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F13-6140-4A56-04000000C801}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036495984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.144{B81B27B7-9F13-6140-4A56-04000000C801}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036495983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D13403CB914BB9D278DA1068571E93A9,SHA256=9E642B20CF7FE1A419ADC47386EF68473BE57FEB63EB2E9548AA21989603F5C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:39.065{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3EC346A9F7B31F926BDC8D0434D9647,SHA256=C293CE8873438ED1D1B47E21D301C8282CA7493E10EB219A1D827BFF3834E3A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:40.344{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB8549092F3AE4A84DE920416F4EBD,SHA256=7F646708E09AB0E3FF3A04D2B1DE32DA91E7436A2F626A0C40E04739197AABC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:40.164{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D13403CB914BB9D278DA1068571E93A9,SHA256=9E642B20CF7FE1A419ADC47386EF68473BE57FEB63EB2E9548AA21989603F5C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:41.809{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EEF8403C6F1D8ED68910B54F3AFA87C1,SHA256=98546DEBE3E6D332D9C5F33A9248D4DD7F0767BC4EE7CBAA793254C462AC5C87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036495995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:41.363{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51239318D98EBDA6B1C55E382AA377A7,SHA256=D0E309B9F41844E9F7F29C48F7DD2CFADC4616995EA5261E58281B550E46F18A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036495999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:12.457{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50355-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036495998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:11.758{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50354-false10.0.1.12-8000- 23542300x800000000000000036495997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:42.408{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2DC42B1B5C156EB08612240752828F,SHA256=EC558AD26B0953288F9033DED49E497B3ADFDEB5E0894158EB7568F77ABD630E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:43.423{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CA7A8ACC6354E803888CD865628F54,SHA256=5AD75D9557B00076D6FB9B5DF66D13D9F08AD6789880D366A277E5DAB27F69E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:44.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECEEA17EC37CC7EF321AA49626F0CE5,SHA256=2C712CB35E6DDB265A9996BC3C61CCFD659154A97B41CA5099ABC720E9D3AA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:44.322{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:44.322{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=FEB34DB2FF91F717ADC888CC2FFA7B48,SHA256=741CCA86117C34D20C80C476BA656341273CCF06B932B9BA8B4FC6F04BB7C353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:45.474{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E252F4B9B07A88CE861E32E6D9314A0,SHA256=D097AEA9A09F9B0A3E6628D564E364AC20D3E59DC75C2A95515FDEFA357FE63D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:16.768{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50356-false10.0.1.12-8000- 23542300x800000000000000036496005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:46.489{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320C40111564ED9CB46612FCD2B4FA50,SHA256=1B0A0D83AECB4225F26E8A3ABFAD8AA80D01E8A39CE7D709A8658AEF8BBD8685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:47.856{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A2B22191BE9CC8DC1AEEAB8310573AF,SHA256=D587D13CEE165DCD9E9D36547F5CD282109F642EB58630F09158F0A8ED0B3B2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:47.519{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4E33CCC12B46E1AF47ADB06C68BA4C,SHA256=1DD2344C7FCD7C440FA0A5C775A7971C6F7BBA5B64837B6444A626AC1FD94EC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:18.467{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50357-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:48.536{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AC790295AA4678A397939B92F42227,SHA256=ECAA9A68100C29C30397A175B40F3A08AE4B8FBB91768531E3A7E73E15CB43BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:49.570{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3CF11B169B296F7CD9EF2468115909,SHA256=AA1989B9BDAE7AD7593C083957CF26191B0C51BA6A3E2E36A72ED67D1F37A138,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:50.584{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE84544590E4652C14551846011CE6D2,SHA256=D7C52419313445D6FC2BC477B3233A40B6AC78662758EB3275B4698CC248B8D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:51.631{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D6975B3A5968C535976BC36C956EA9,SHA256=8DF7770826F34F0F5C061FF87E84B6C3521F549F7CD7963CD147CB10211D6CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:52.650{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA38D247E315176AB86CE160356BDDF1,SHA256=5B8045775584687B4BEA786E8E065311C1B747285693686666C899D18FA46F38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:53.830{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=22DABFB2308238E3A2B8037F8181D29F,SHA256=AAC33A3B24893F00990E30E257019F7752C7C32DB97A7D8B288C6D6EC18088AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:53.680{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888BE66CFC342D207A57FFFF091ABDFA,SHA256=4A2EB87DD37223C804B6A36F9FF12BF75A1A7B6A2F8A25AD55DC1C7454629FAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:22.792{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50358-false10.0.1.12-8000- 354300x800000000000000036496019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.475{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50359-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:54.694{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727F6F02958D47E8B1D481214621DB27,SHA256=73F55B05EC08DA122139FEB51D06A44FFC930BC2F5CD0B678B6D251180DABFEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:55.727{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BF6DAD6224CECB53A591BF234D4C1B,SHA256=32D2EBA9405BBCCD03EDF4A5A0C732F1EC28D5FA7AD7B11F16BCCC1C6D038EED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:56.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722AEB5E50B0860CE727A2D92D0DBE3F,SHA256=701406557D4FD79043A474CC6DF14AAB83A0A59032A3705B1FE78813CF86CF22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:56.230{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a2be979.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:57.791{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662A8D25822AF86313284A7E33A809C2,SHA256=C4CFFCE81833E7642968780B61C1569295C8F301907EC65A732215BA27B72B8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:58.791{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE36ABBFE8B8BDD39B9D8504315E7DE,SHA256=05222C45A84005EA99E21F62E81CF3E635E143517A509FA595486890EBEC5C58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.874{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E92103F17EFF0F47311B66D141E5D497,SHA256=F36412ACF3614BC91457D2441A0196197AE0AA14316AA8828D9530B3B7372B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.822{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A680CB8FEDA950F5CC1F18AD4D55F9B,SHA256=97F3C8CF084382621BBDA3288AC11D27A4744B67D56B2B28690BBF7C15970C33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:09:59.590{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036496025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:28.800{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50360-false10.0.1.12-8000- 23542300x800000000000000036496061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:00.989{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740706D0340B432978E9684717A77151,SHA256=1DBABEBDA64F7436C3533BDFAC7DA64CC0B484B645629BA02DB2BAA581324C66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:30.485{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50361-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:02.024{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F279CE981F858BC3128D36280628DD,SHA256=FB07CAEC72C27F209EC80C25416D61E11D60A0282FBD575E1FFB6DBEE22D673A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:03.055{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2C0DBD3735E3F9D18412F282335850,SHA256=ABDED824BD35B115373220303C29368D77CAE2F2C86F573A0C42E296CD6182A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:04.953{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=098E9153AB392BD29243002718A55547,SHA256=969C6EDF038651F754399064C9AE78A1BB20213437EAA2A193BE84CF5EE45F2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:04.070{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57F0E50F8416BACD5FF261C52D79DBB,SHA256=DC477243AD124733F066CD61125C0A29E02E96AA4BF1B112E2E76CE4FCEE0F57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:35.495{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50363-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:34.817{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50362-false10.0.1.12-8000- 23542300x800000000000000036496066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:05.084{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE6BAFD69C6EAD2DD62B0BDFD96C920,SHA256=21C2D32183D51FA816AEB43FC6C28A0EBA83680AC380D6CAF7C01EB856500FDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:06.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA36D552F1C73FA4C2DFBF60273B87D,SHA256=515E390872356E1D3E7CE4E31C057504F0CD18686FB1507307FE1C19A8ED3373,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:07.135{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B602E3C923FBDE053255776575D245,SHA256=0FF2FBE9139F08207F0319C923A621E4308D60D28580DCC1B9EC273F3309D0F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.928{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F30-6140-4C56-04000000C801}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.926{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.925{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F30-6140-4C56-04000000C801}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.925{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F30-6140-4C56-04000000C801}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.909{B81B27B7-9F30-6140-4C56-04000000C801}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.378{B81B27B7-9F30-6140-4B56-04000000C801}61045644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.229{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F30-6140-4B56-04000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.227{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F30-6140-4B56-04000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.226{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F30-6140-4B56-04000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.210{B81B27B7-9F30-6140-4B56-04000000C801}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:08.193{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5FCE2A9951CB0E59CC839A8792ED2E,SHA256=8A1F9B83A3CCFABA1DC93422688B6197BCB9B9D9CD71110BCAF11634C8B59750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:09.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48885003619F6D03B453579832167BE,SHA256=99A43D9A184034EFE7A059FA5DC69BCCD638ABC8AF08B6998C5991E486F53AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:09.261{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA854B17A0DC7714E022F92971A7E16,SHA256=B9202A7BFE57E52027FA4A93D5BE9E7835CEF716D310C754CA1C56D6C45D68B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:09.208{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B446FE2B2B9240FCD1CA04C952BDD6B,SHA256=5D542BD2E43BA6E54F9EC01DDE158A5F7D0ECEE5AED63F1DF1CE7B09342909CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:10.260{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7F87552419B316558DC4AD4AC22763,SHA256=372152AE3F2A34B3ADFBFA83BE5A97F4683DD18317C99EB6C3E25B808A48C734,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:40.805{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50364-false10.0.1.12-8000- 23542300x800000000000000036496094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:11.275{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59537F51147313026EAB5384EC599396,SHA256=C174A254941BF420C7DD8A1380E58992234FCA00F33B9CA6F778054732251AAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:11.044{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E67B15155A034645ECC9FC16FD4E36A3,SHA256=7F1669487F3F8CE772C9FE3100411D9E7D1F064782A8BC342FE0741CF2E3B7C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:41.502{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50365-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:12.289{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0DEF8D49A7598628350C5D231258EC,SHA256=FA53E0CDDCA18C63782B5DA90E401B5BAE841CC15312E895EF9F6B8D63AC74E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:13.322{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A322DDBB7CC6044AF089F5B516DF1B30,SHA256=DB1AE06E4FCC2B6C03DBF298F7AAF1BDFA093B1C123BA3CDEC928CC35218D814,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:14.332{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06B8CCFAEAC1B4A69AF0EABD524320D,SHA256=2C8542E3E543E7EDA872FA854919C4B3C8A87338260FC920664655AB9E125CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:15.896{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=539B031520D9A1C2E7ABFB971F28B168,SHA256=30D6C1934190C3EE702A1944ED38434B3B48D9DDD29E2E6CAA5253127D15263E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:15.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4835F2AE640A5CE538DBA32577A8BCEE,SHA256=99FC1701B7FECBED0A76220895D52D3EDAAF08C4AE5F2C07ED8C2C82FB4F72C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000036496109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036496108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x8a2c3382) 13241300x800000000000000036496107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a961-0x7a29a397) 13241300x800000000000000036496106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a969-0xdbee0b97) 13241300x800000000000000036496105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a972-0x3db27397) 13241300x800000000000000036496104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036496103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x8a2c3382) 13241300x800000000000000036496102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a961-0x7a29a397) 13241300x800000000000000036496101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a969-0xdbee0b97) 13241300x800000000000000036496100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:10:15.197{B81B27B7-4012-611D-0B00-00000000C801}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a972-0x3db27397) 354300x800000000000000036496114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:46.790{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50367-false10.0.1.12-8000- 354300x800000000000000036496113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:46.529{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50366-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:16.411{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D16823F269684F8ABFE92DF26F1307,SHA256=EA4CB27571B3B277DFD4744C91C892DCA828E912384A4152B86029FDD0412AF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:17.428{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A546064DE0728B27530526A689F7DA4A,SHA256=4B5A6795874984DCDB14A06215CA02FDB3F415276E80060B0766D18BC4365D90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:18.447{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BF8AA9831F50F325D255F9C6289953,SHA256=F2DFD988136675765C00CEBA613FF591A0DFF6DDEC0A543B2F488EA7F49151F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:19.477{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD19BD66B177F80763464EC9F664C10,SHA256=1F0019250DACFFD3519270DB114E376B43BF34BE0B41A08A2C8CD867D26828BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:20.492{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7D6C7071312221135FE889C8207FC1,SHA256=09893F29133DBDCA38CE54EE7D4D9291ADFE98775B0712E24553F27A22E9DC6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:21.975{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A39EECEE6F4E1CC15EAB57C8D08156D,SHA256=843A12E888C4441AC85117716813DCC2E280CE65BB5FD16FAD7733A3A88EB1D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:21.524{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F580B1467B0810F7C20C326475BFE3,SHA256=CF444D407B3BA1529B94C118DCA80EA90778FBAA5232514DD2E0034856611F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:22.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A17D39632CB41DBFA7144C16981B90B,SHA256=20D927EBA3DC89AC151DEBFD2F7203DACBF566CD36766F4DC020A873BF62645E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:52.823{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50369-false10.0.1.12-8000- 354300x800000000000000036496121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:52.539{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50368-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:23.561{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1569EC527D68A7A190200450201F8BBC,SHA256=1C09E530AF28251032AA2D59F113B6EA679E580F1B9678C824CA9D4872B33F96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:23.193{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8197EC6C5CFCFCAF0E57F182B1FC2705,SHA256=9D0B9DD68769F5257C3B385608D9C23642B213CC4151EF97A7BE911720C57F38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.992{B81B27B7-9F40-6140-4E56-04000000C801}49843380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F40-6140-4E56-04000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9F40-6140-4E56-04000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.829{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F40-6140-4E56-04000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.825{B81B27B7-9F40-6140-4E56-04000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.592{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846FD6B9F93A34FDD872CAE1BA552F2F,SHA256=39B7E341ABCD439387CF0DD7067D5338E0D854D641329F5E7501E5302E003A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.327{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F40-6140-4D56-04000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.324{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.324{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.324{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.324{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.323{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F40-6140-4D56-04000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.323{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F40-6140-4D56-04000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:24.293{B81B27B7-9F40-6140-4D56-04000000C801}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:25.959{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=272E6A6F5A50BB05AF074334FEA79117,SHA256=260BA69647A066EC8EEAA9FC0A5C35951DAFCB59111D1786066BFC36F31E41A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:25.628{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566C3C5582B6DB0F07FB58DA1E2F6A4E,SHA256=5786F6A9CDC7F48D6A9CF4E56AB4BC4A7484389B71837A43A94FBD3F7C550155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:25.526{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545ABA38114B2CFC5B5F4D126A04B556,SHA256=F18625850F481B434E69001BD1DE9FE7E7438D28BAFEC261383FD783120F2368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:25.526{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48885003619F6D03B453579832167BE,SHA256=99A43D9A184034EFE7A059FA5DC69BCCD638ABC8AF08B6998C5991E486F53AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:26.643{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560148F53DADB3908DAFD141EC7F8739,SHA256=6D895FE11A78C989FF48B3D60E58133DDF9140EAF7B733B74FC536CE4E00E6A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:56.554{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50370-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:27.657{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7ADB9AF78B2F664F2CB1F438A9C416,SHA256=2976C97CCE5339D7EEAE369440C39D1B86BE4412FCE97547000640497E0D47AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:58.836{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50371-false10.0.1.12-8000- 23542300x800000000000000036496151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:28.721{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19071F2D381C46B4458BA839C5B37BA,SHA256=B775EB921BA943A1DF99EBC6B15E67C686494937635FB14FB74B9DF4E8A99BCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:29.739{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC65B2CEBC9E6A13629C09302DA26FA3,SHA256=C996DACC5EE9003BD863F98B9BC2EB5F569BA7FEAC1BB4399539AFE01BC6A57D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:30.754{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46308731B9A0C4BE959E278FC12B665,SHA256=D5C2D12C4C92583D1D0AE7129DA1A3C18C57AA9896018B47F56F500AC2850AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:01.596{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50372-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:31.769{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A2EB1EEF215F6D23CD7FB5ACAF998F,SHA256=A2B857BBEC4727807FFB54813A80A8771C5328A9DE0E0C737AAF13B9DD06334B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:31.154{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDF5CA0FC29FE846FBAB5F7F33B55583,SHA256=7B6561F3BC30EB3E31A0C44FF63D88815B1995996874CB35AB1215928D54DB2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:32.817{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1435A361E93760356229C0099E289C,SHA256=E8F3581B3C6E73C71CC33259FE2591F32032ECA1E0B3FAF8DF39B7A7FA39E93C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:32.368{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:04.030{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50374-false10.0.1.12-8089- 354300x800000000000000036496161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:03.878{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50373-false10.0.1.12-8000- 23542300x800000000000000036496160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:33.850{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D936FA071F791D70F5CB56D644189F,SHA256=8610459860020FF7E4C252BF440210F14D7018978FACFA1C315423BACBE3151B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:34.865{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180EC6B618E5082E6D2EE24F6DDF404E,SHA256=38398FFBBE89EF60BD6AAA26407E901FE3BE37C8301ADC9B187AADAC3FCF5A6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:35.880{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F332313189FAFE9B8D6F6452F2C3CB2,SHA256=FBD5963C519C4C2869A2A97ECA2A90821107DE27842AA660F3C14E53A17889F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:35.080{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=56F26C3BA0D9610C3EE7C1EE8194BBF3,SHA256=FAA42B94ABFAD621A885EB485913477C648EDEFA8181D06E94E2EDF8B69E5D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:36.894{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949DD6B2A1133176A04B5E5DA86E202D,SHA256=38B6E50A26E2949FC246653C4AA6BE89E66426C3BBF3AB1199305D70C2FB0253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:05.613{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50375-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.914{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32486DF472E4858FAE6E42B23EE8CC95,SHA256=FA33719AB1846DB444EC846C423A084A6B27CCBC430698BECA8C5B9132B4A552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F4D-6140-4F56-04000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F4D-6140-4F56-04000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.863{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F4D-6140-4F56-04000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:37.848{B81B27B7-9F4D-6140-4F56-04000000C801}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDA5E9E3EAE6575D254209DE5F14561,SHA256=4E5B027BC4C44F388C31E88FF39FB61D8EA04A183E86D5AB3C1123417E356DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.964{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545ABA38114B2CFC5B5F4D126A04B556,SHA256=F18625850F481B434E69001BD1DE9FE7E7438D28BAFEC261383FD783120F2368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.932{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFB261E14E9CA1F1F3557C2D2CE927D,SHA256=27B3E22BE5B8D0A884735FF62FAC1E93BCD3370D3FF57F7D50D261F60FBD8937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.751{B81B27B7-9F4E-6140-5056-04000000C801}96432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F4E-6140-5056-04000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9F4E-6140-5056-04000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.562{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F4E-6140-5056-04000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.547{B81B27B7-9F4E-6140-5056-04000000C801}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:38.016{B81B27B7-9F4D-6140-4F56-04000000C801}57006928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.947{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465C3BDF8CEE1B2635B6F9AB3D3F5963,SHA256=BC622EC7AA5A32AC9E8AEB02B0D20B8039E0CEA0D863E46043D429F16D27B1ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.888{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50376-false10.0.1.12-8000- 10341000x800000000000000036496197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F4F-6140-5156-04000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F4F-6140-5156-04000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.248{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F4F-6140-5156-04000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:39.233{B81B27B7-9F4F-6140-5156-04000000C801}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:40.978{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDB367099B3E98E7D6B1F14BA3FDB14,SHA256=B42BC0904A85B353BDF9725584BAA400D9E81966574F221241DD5E26759D1192,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:40.247{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDA5E9E3EAE6575D254209DE5F14561,SHA256=4E5B027BC4C44F388C31E88FF39FB61D8EA04A183E86D5AB3C1123417E356DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:41.992{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB49D8AADBD4879192795F2B38FD6115,SHA256=3599C24D4A6A9AAB4F0D3A2B112A8141F67BE702A55277B35F283F8FDC6023B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:11.626{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50377-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:41.162{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7D6D245DEDD81F175BD0396D2FA2723C,SHA256=092A70912AF75B37A68315902456EDA9C05F481D615041AFA574B8FC216FFD1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:43.011{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FE0E14C0F060299C61470B21DED269,SHA256=9570F259DA228D59DAA934C11E59CFBCAE18AF29F99D4569411DD9CBF174ECC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:44.028{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BFA9506578527A3058BAFEACD41212E,SHA256=452A641E571C3C24042FA7D0CE10FD9B6688D5348FAFB7C7F3039FDCE80D7A64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:45.988{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9000696838128E6E29629085760A9AA,SHA256=B93D8F003553DF329DF540293B8CD6D5278E9EF3F30C86FF3283E4BF87BBBCC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:45.043{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18B5F797E288DE576FF6E76CEA766D9,SHA256=96487A745291C4174ECB4E63BCB600AA6A3A3C29238B8DB8769B5959D9BECD4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:46.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA19615C2B2624236D85B9E23530E3B3,SHA256=097B2B35D306FC1CBEA3F2BF07231B42FB2678BE8E3123CC05326242B972E6F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:16.637{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50379-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:15.921{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50378-false10.0.1.12-8000- 23542300x800000000000000036496210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:47.105{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F742621121B96E0AB6D652D672B60,SHA256=C419C3CE89A88DD2EFD26AD6889EBE8E4F0C24638FA8236ED96BD11CAE10A48F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:48.124{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0201D853EC07BA4D114EBB194EAB95A3,SHA256=11F2D03328A615040FDBF65408DCB9DC3FDB7E31593A2BF7665FB63021294F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:49.204{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F237B22C2960435DE7F12E4E29BD9BAE,SHA256=ECD4769DE920E5C0F50462265613AF41609BF327B79EE83F97591DAA3FC15CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:50.222{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C93BF097D1A7F38603CC2DD1D7CCBD5,SHA256=B049A3CBBA5767B58E102A188765D9226154CDCDF67090B6321532EEAD00D7B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:51.983{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3964133244328569F6F6D4D3B9B7C0DC,SHA256=B49805850559EED3B3C96964B2D68A0FD03E94B0569A746F2B7AF9874D93B6C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:21.679{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50380-false10.0.1.12-8000- 23542300x800000000000000036496216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:51.253{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7207A2C103B59B5D0AA195F4659C9,SHA256=C49C908BD9F82FD0AB9449F9B31EFA2CE76FBEB3957114124F75A356BBB7FC4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:22.647{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50381-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:52.283{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0898571E6D7AF009CF6808EC681081D8,SHA256=E8B3D2626471BFAC00D05EA506D32CC815C1E408FB831A3B1AA12E4CBEAF0022,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:53.300{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31496B8597DA33E2E2250F88252921F2,SHA256=2E52DFC019E12DD4C606B37D3AEDDA3ADB7CFD9A0E1427ABD7115832C0BB78C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:54.334{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47EB5B69E64250CB40BE1F07D553D39,SHA256=0677C1F2692BF626E1E8B2FECB084E1B50256DC4FD996B5E5AEC681B36E2FA9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:55.359{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5361ED669CC7DB511F8C1B657F6419,SHA256=47BEA73D738E90331AA9533CFF15D0CC31E5AEBBF0194885164A74134EBAF151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:56.389{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300F89A6698B2499FD5E26E5C6C2F04C,SHA256=655D542177D2EC786E1ABF30EF5A02B56BAD3B5D9A784EC477D86AFFD53C6544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:26.659{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50382-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:56.008{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83F1952E46F36DAF8F04DEB2C11BF2CD,SHA256=995B15436412DBAF39BDA4AB9DD20D464AEF219CB9A8663471E9F55C21133934,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:57.407{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A00F4204BDD47DB61DD9C5AFED6C5BB,SHA256=658BA1F735F36E9A630897CAE0993FF4523DAA18CC79363107907F212317E33C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:26.758{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50383-false10.0.1.12-8000- 23542300x800000000000000036496229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:58.440{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3149B8208AF52F09F7C600ECBA2975D6,SHA256=7B974150D55315DE9F0D0BB3DAB0E3CAB4A5EE29144B6335E1D58304988A1967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:10:59.485{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1F981E618CB519AA6773C85A171E45,SHA256=EAB60B7FBDE1356B7A34E203F114DEC78B0418F376ECF898A9BFCDF47F740452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:00.503{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65ACC201933D2597B338F115D1A2AB78,SHA256=42AC68F96BEDDC3A06451BE6EDC1094285A16F5000CB3AAEA231213E8C8716D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:30.665{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50384-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:00.222{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B05A6B52539C4FD67682B8A269D2F7FC,SHA256=FB27DBA9F06455C402ADEB3E8C947CF48487E3967D9B13E2313E3B65EA5DD6FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:01.536{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5576DCC2F9387034B0FA3D4E10540AB9,SHA256=A2C2BF0BD550E756BAC8DDC4F46AFD51D99110C03D34D749FAC802F6614FA5AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:02.567{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2F8B7B99942BAA4BD95D2749A4615A,SHA256=6ACF428C7D3C96ED586FEC38F1E0B5355D51BABFD092047E8C3475F6D8FB0BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:32.747{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50385-false10.0.1.12-8000- 23542300x800000000000000036496237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:03.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE4B69FC3870C4091528ACE5F2F27DB,SHA256=76DF475FF95558681348FDDCB9D9F4F26C4B3D19EB23F4C3F5124117779A7A9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:04.620{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85FE77D66D8C47996CEA94A5FDBEAE6,SHA256=AD11D67E459C4E3BCB0C95FCE852A82533FBC235ABC392432CC21B920F165633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:05.634{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE2BFF9B82C198E6DFEFC96B4022598,SHA256=910E4B205AC2C7C1C8D6149A6A77E9AFF3700133EBF64A76C48E70394259DDAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:05.035{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=161F7887C726E4084C384D20CBFA0B9E,SHA256=CC64FD2AF0A4D536DD7D26DBD3A20EF8927BD06B2B052E31B9EFDFE3E1F269D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:06.649{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E81DC764909CA42F984359E9729B973,SHA256=6994AD242F554DE8DDE9AF890272772527BAFE2D8695AB8D24FD972266790F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:35.677{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50386-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:07.663{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAAFE31279F4C778E1C5B884F978B2C,SHA256=BAA565D3157AB880F1590479CD32F0E368677005819A8F7F93874ABFF7DE18A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.799{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F6C-6140-5356-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.797{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.797{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.796{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.796{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.796{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F6C-6140-5356-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.796{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F6C-6140-5356-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.778{B81B27B7-9F6C-6140-5356-04000000C801}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.699{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE152817635A6ADB928EAAD15953DEA7,SHA256=F7B8A3187E46C947F24D2908A1F4F171B1F6E0BF39C96A1D091AC4117A7D79B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.774{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50387-false10.0.1.12-8000- 10341000x800000000000000036496252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.262{B81B27B7-9F6C-6140-5256-04000000C801}67242936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F6C-6140-5256-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9F6C-6140-5256-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.100{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F6C-6140-5256-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:08.079{B81B27B7-9F6C-6140-5256-04000000C801}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820E700ADB3D1E8DB022CFD2613B9D75,SHA256=C451ED4DAD28495E681B92C98C78673A81573D551028126BBF2E94E225828A49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=51CFDA1C270C0E2BA6BCEFE4F40DDF35,SHA256=BA76D9FEEA779550F8A4D71D0EB73E7F83BF7F31B91AD4F0355EC595939A4614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.097{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A02034E5C3DA78A8B1145384E72CD0C,SHA256=A262965FDB8467AE96129E6E59C1555BBF5FA1CDC27423647E3C6A3590AD2C06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:09.096{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=428A7F449D6185AEF177EF1A1E6EE122,SHA256=D0C978869196F30257E26F50F563BA444D6E5BDDEF2E1337C3E19BDF11F18534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:39.695{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50388-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:10.718{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78940FB11E52B53EBD93210C09224A8,SHA256=76892065DBB8604F437B5B84119F97B305DA822105363D115E0AEF39A43EE8BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:11.732{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4F34F90E4D7ACA36C2E00532D4AE2A,SHA256=91AD3EC458116AFEDA67442401C025162309230705CDDB005A146EEF97E1A48D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:12.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C84180C941D417FE15337DB8705F955,SHA256=89249807128E86D1D554447D399DD71B84941716AC0B6D08AB56304E0432A2E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:13.776{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8AB601CCAA9D86A32AE48F761D53DA,SHA256=F005C70C1BE05092BEE8E4CD7EFBA045A765D6F5DEECED1AA90EB2A66BCD92EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:44.756{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50389-false10.0.1.12-8000- 23542300x800000000000000036496272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:14.796{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB123AB0CA8FF9498E6CC12DDEC63CB,SHA256=74CDF4FFB7BB638BF0C7CB71D6105F798F9B89901393C16F63E68D83973534FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:15.811{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21CD5A92F8DE9B0729E08341C0318DA,SHA256=A84876F3CCF267DD345ECC409701E122EE6860229277885710653A4A8F954ADD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:15.143{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8221794FF9992AD3439156134CE7D7C,SHA256=9DAE5EA706EFFC4FE2D5C8993A8EC831972B171DA858404D08F0D7C509E09852,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:45.808{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50390-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:16.826{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833103081EC774D0FBE113E396954139,SHA256=74DDE1EBBC2884E500264D57989E7AACBF168E803E2C679657F6CE45ED88CFC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:17.841{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC9BF08458C334E5EB5D0041F29FBB3,SHA256=B8618081B94FCBBB10645DAF0830475E7D45E788DE73533E67D8615FFA9769AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:18.888{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5923E406D52F1999128C68BCC85D3C46,SHA256=F77BC5E227D461EE9A0A60F5793A0B985573A5DCDD7C71B0060ABBFCEF384DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:19.891{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3645CDEF0DBA2DD1D9590ABB78A586BE,SHA256=011046FF3483AF7994A159892CA376E86E680C3DF4B7BCB36A6E8B540DE43314,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:20.908{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9D90C43AA9E99F8E9C72975C5F5DB1,SHA256=71BB709CC8FBD10EF1C9472A979CA78ED07CFF3B05C9B607A76081F35BB6168C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:20.175{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE312C0CE1813420D2D05DA187869C15,SHA256=87D641502F9186C4FB2662A279655356B2EDE385956A124F88EEFACE69A2AFD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:21.939{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA30B3B2D8DA4ECEA47FAB5D4B7CF8D,SHA256=DC130DE88B5200DA63E5F2C1858E3BDFC0C44992AB3ECBE8D722953B7D508346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:50.834{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50392-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:50.765{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50391-false10.0.1.12-8000- 23542300x800000000000000036496286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:22.969{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325132C7F4E7DDF42C4A0982A40EBE68,SHA256=202B5459E49DCAA93E8CFA04DC9CCA87DF4159F6ADDFBB6198F77E2FFB86259B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:23.987{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F648B4B78C0E0B90187D55CA79897FC,SHA256=08981DCB9CB1B01449605DF5A68283AEA9309C774504000AF2AE1872378BC42B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:23.206{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8986BBB726E2C7D9691149357A294718,SHA256=9D76E0BCCB2AF491FB41C25DC736AE1DB2DB4ECA329143CE30B05EAA81A4D886,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F7C-6140-5556-04000000C801}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F7C-6140-5556-04000000C801}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.936{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F7C-6140-5556-04000000C801}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.921{B81B27B7-9F7C-6140-5556-04000000C801}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F7C-6140-5456-04000000C801}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9F7C-6140-5456-04000000C801}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.252{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F7C-6140-5456-04000000C801}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:24.237{B81B27B7-9F7C-6140-5456-04000000C801}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:25.467{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BAAD576212EF1B67F6C699B83C66A2,SHA256=D1ECB69DE231408B9A26282A05A523048A97D81986DFAD696835DB6D17F830ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:25.467{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A02034E5C3DA78A8B1145384E72CD0C,SHA256=A262965FDB8467AE96129E6E59C1555BBF5FA1CDC27423647E3C6A3590AD2C06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:25.089{B81B27B7-9F7C-6140-5556-04000000C801}46642776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:25.005{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF20A7470B138AFBC3807039DB80F34,SHA256=D37011927AA27F45F3F49354F5BEBFB787DC76261252B161986E2419DE75AF32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:26.252{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53B566D5924140D9B2EE95A264E1514A,SHA256=CADEB662D83A66099DCF80E11671DC5645863DF1F75EF5F5DCF81E378CF7FBCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:26.021{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C7914461E0C408FF85DA02688E38FD,SHA256=78D0C3E40B10FFA92DA58A118423EF81B9C61B35E8D589DD9836CBBDC722E1D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:27.036{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9247BB81F45E8E5C0F9669A3E500B332,SHA256=13EA9300F05734BF426A2235D5AF721BED3A11173733C3EA0C9CFD1DC66117F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:56.863{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50394-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:56.784{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50393-false10.0.1.12-8000- 23542300x800000000000000036496314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:28.050{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BEE4B54CCCFF89F2764472045C950E,SHA256=3DD15922C9E191F05971C4F5BA5F6233099F04A231A849A21A0E63A12936D490,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:29.066{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C2D4A628A9D8AC9A967AC03AF961DC,SHA256=CBC60F7D13EF742376A798F76D2B1328535F9549D7A253070D9295259309C0F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:30.218{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=260C1EDA1F9985F2E83B122408B6EB13,SHA256=F3E339215CAD9BE2643742E6E78E0640B5904DE325065B43C0EE0F0549CB5C92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:30.083{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128FE290CF64BD4666DF3AD62B63BF16,SHA256=957D6EC85D4B461138F4F2348A4DDF0005CECECDDE49A45B1D4AFA2408F32B6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.882{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50395-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:31.102{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405D745660CEA799F2BA39E300D37B04,SHA256=C01BD2E091B0B76C953D2BDD6CDEE49650C8D4F9039CF99FFC28A700F79B29E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:32.401{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:32.117{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F448CCE48D3AC07FD40ABE58E876349C,SHA256=1A0DEFBB552CE2910DF06E6E0161150B3DBDB5956B4EA93C02F197432236948E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:02.812{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50396-false10.0.1.12-8000- 23542300x800000000000000036496322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:33.132{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097E3276470EA7FBFC286D77F97532BC,SHA256=C535CA539B735C5BB682B89868D60A8F525DBFE92B28798753477352F0F8D28D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:04.058{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50397-false10.0.1.12-8089- 23542300x800000000000000036496324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:34.147{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAAECF622DCD8E75B154AC3FE06DE7E,SHA256=66FB0DBD7462A4F891F1963ECF2AA609838BCF9165225130B4B6B98D645C9827,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:35.461{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=513F5697C242CD676E1D47E0A5645F71,SHA256=60B1C4354FD93EE6A6E3D4A975C31082A2EB2BF7FF07EB2B5161BA0E6D7CAFB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:35.161{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F595AF1F5C5F447D50E4598F5F1C8D99,SHA256=E52617E69021C380C59F6B67788B1111C662506E15B8FCC24146605FC14DE7F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:05.895{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50398-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:36.178{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718F8440EBAAA6FEF894C189929502B0,SHA256=9C3EDBA39DA8C7BBC93DA230B5F64507C3BF410C14BC59A731E21BCBFFAA9B9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F89-6140-5656-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.879{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F89-6140-5656-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.878{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F89-6140-5656-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.858{B81B27B7-9F89-6140-5656-04000000C801}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:37.196{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB4D86ACEA1664BD8E7671E8D555C75,SHA256=CA14662227DD0C16D8CD4885312F0700ACEC45B019CE77608B0C79B39E8A0DD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CF38580D836B52855E5B7088BA568F3,SHA256=1588BA5A98576072A656DCE07EB525E36D70BC3E71A6747518CDCF14261E7301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.877{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BAAD576212EF1B67F6C699B83C66A2,SHA256=D1ECB69DE231408B9A26282A05A523048A97D81986DFAD696835DB6D17F830ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.557{B81B27B7-9F8A-6140-5756-04000000C801}36004544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F8A-6140-5756-04000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9F8A-6140-5756-04000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.410{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F8A-6140-5756-04000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.395{B81B27B7-9F8A-6140-5756-04000000C801}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.226{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A6F0C8780F2E40226994E48DDA3F51,SHA256=7F1203D6B78E099CD5335E43649330A058DBF3C75466B4E836FA3F852E1AB877,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.026{B81B27B7-9F89-6140-5656-04000000C801}54804984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:39.977{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CF38580D836B52855E5B7088BA568F3,SHA256=1588BA5A98576072A656DCE07EB525E36D70BC3E71A6747518CDCF14261E7301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.921{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50400-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.822{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50399-false10.0.1.12-8000- 23542300x800000000000000036496361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:39.475{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9915C0C81B1A594E640705DBE9158861,SHA256=A5C575A0BCA50357371C3DB3C0F0F55259DEA4EBD895D44AAF57467048BD9DF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:39.241{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1F210895F9E39FCB4E4B5652C8C2BD,SHA256=6E664E7190B4EC21F55219AE7F68A5C647688525CBB62A05736555D20E9640F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9F8A-6140-5856-04000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9F8A-6140-5856-04000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.994{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F8A-6140-5856-04000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:38.973{B81B27B7-9F8A-6140-5856-04000000C801}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:40.255{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6636D38F05CEF9E3E6FA9126DFCD55A3,SHA256=90BB87C386226F28EC10832264DB47F8B0BF928D9F15128A6A9FCDD08848DC84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:41.274{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097E868F3151D39A4CA07F60092CE355,SHA256=108AC3E21F6B897476C432EA45E809C2F00B7854FED7549A6391D4328513EA6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:42.291{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280CAFC3873CA158269FFB2E5D94E87F,SHA256=22AA84F0320D515A21496F9640179BC5733BFAE59B54A6D9226E324C7955C2A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:43.305{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5369F311BCFA0E41DBC7C2997CD1D987,SHA256=B1743AE1C404E045E9E8D8DB3D7E328662DA2B38F23C2EA082608F35E5CFADA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:14.932{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50402-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:14.831{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50401-false10.0.1.12-8000- 23542300x800000000000000036496370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:44.335{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265EB80307D9DD1788CA65C4A7E11929,SHA256=CD657CA295EB833ACD0ABF3D0C7E23AD08E0749889A330A94576EE66DEC1BA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:44.270{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85263D5E647639DDFDC58E8FC3EFD838,SHA256=2D6D71BE68CE858AFE1070E496386E135FB9B8CD45C64222F67FB93E73CB5B7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:45.350{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4929AE37F728D0336C99F2061EF1AECA,SHA256=B5159AA27E0D03BFA70BF38E7F35C4B029BC73E88F739BE710E133B708B8058C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:46.366{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCBC9C47F301B1E026DE77569EFA105,SHA256=B152AE8391C0E277B6F41C7E00B0FEB3DAC2C8E280E1413769A4A253664E7F13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:47.385{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3A1CC1F6B4DC292D2AECAB46793E08,SHA256=1C3EC1DA36BA22CEA5D67FA79E392BE530D8DC965E883E9EC245F16D08A41A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:48.415{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9474CB052BDDF79DC870E808809B930D,SHA256=4E14D7E604AE79F55B4B2FF2A45B57C23FB5591718B8DF75214F6D6F5975C620,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:19.942{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50403-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:49.445{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BCFCD88BB6E496D54D55B8668824CB,SHA256=8524984A057986DA98B3BBD811C350475F1B50AD97076813F3176B9534FF3E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:49.398{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E65B2BCAD674D96BD8E80EF98E687D1,SHA256=A21972F37E638959A2A9FE3614C7CFEAC64178358C53B74BD6D1E496D548A2EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:20.840{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50404-false10.0.1.12-8000- 23542300x800000000000000036496380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:50.462{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B65DD26AF99B1A618A0CD9F520E315,SHA256=9F60F747DEFC6A65F877E8C7F234EE21CEEA3B0EF5554D7069D57D426F50AA49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:51.496{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFC52E354C88589933D80BB9ABA5A86,SHA256=287061F09FB66626D1084668952733554BE98C80A3EA9404D55E18D6B2C3EE64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:52.542{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37E2D69CAC0B03D9E43B02980E2FCCF,SHA256=E7A8A4565A68858BF95AFEBF453055DA36D4F0C192FCC4B42F3E6B25D8BB6762,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:23.959{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50405-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:53.559{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48756650D7279E11BBD8218E5311048E,SHA256=B42243BAD2FF6034B8C3F670CC4D6706AD979443F1C25E2C1CBA157B460AA545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:53.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2BDA7E01442E384A40D0823EB2ED903B,SHA256=8EE34D475B85CC031EB5B061D37C52264FFB11F6F9DCAACCDC124D9756B3B514,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:54.578{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3289CD0E78EDD6FBF9315E5C93312F,SHA256=9566A5EEC09264C3A3F18784B167A56670382E9218848D3790B6121E3B8ED480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:55.593{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9752FB4ADFA3CED5D36F25501D5B6AF,SHA256=8E4A142DFF4A35AFDC2EE88B1E383CE745E82207F3B34B68A46A4A7182ACB880,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:56.608{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3D98DECAA8261989F3F035581724D1,SHA256=DFB1FDC9482D873441D3D369A779769B26EE6180F72BCC01C7993FA45683C097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:56.261{B81B27B7-2BC4-612D-7CF4-01000000C801}4056ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\reed_schmidt\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4056.xml~RF8a2dbe58.TMPMD5=7FFA55FF6AC84742FC67B49B83BE3F12,SHA256=786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:57.622{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C509230508697F8D99D8BCE583E5394,SHA256=11860514546674F7077DF94B71F56DBE622F67D1DDA3F56A493FAC8D6CE6BF9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:57.553{B81B27B7-4012-611D-0D00-00000000C801}7922340C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:57.553{B81B27B7-4012-611D-0D00-00000000C801}7922340C:\Windows\system32\svchost.exe{B81B27B7-429F-611D-0601-00000000C801}5536C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:58.636{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A528A63B94CA5B71C93EAAD61917FC,SHA256=141DBA80DF12F70C10A5B806646A06A8BDF675122D6FB23883093CFCD6E6A491,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:58.521{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8446CA464D57919B269664FA2B3C6C2A,SHA256=96B9E2F61301C6A14462750E273808CB17A54B4591E6C76E583ECACD8AE5B31D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:26.873{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50406-false10.0.1.12-8000- 23542300x800000000000000036496399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:59.655{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8F02A32C7890880B70F83EE595582A,SHA256=46AF43E1546CF8B440425E5645E7BDC5D397DE24A269DE3103DCCD5F1ED3721B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:11:59.404{B81B27B7-4012-611D-0D00-00000000C801}7922340C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000036496397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:28.971{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50407-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036496431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-1F2E-6131-9C70-02000000C801}6620C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4133-611D-AB00-00000000C801}4564C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:00.603{B81B27B7-4012-611D-0D00-00000000C801}792812C:\Windows\system32\svchost.exe{B81B27B7-4134-611D-AC00-00000000C801}4856C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:01.034{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C91144C272E138881E9156C6065D339,SHA256=F6D3593133DB9456B6664A83EBB2B77599E06E1D20AE0D5F1705B53DCCD839B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:02.102{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0E6DE69FA2C719913B17683B9F9248,SHA256=A35388380235274AE786066141A71B7D4B3D8D7C2F4BB14136FB836E5BF49B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:03.518{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD34372CA12403E6316CF04AB13D3846,SHA256=6114F7217510C0E464DB00DB6F9DE950C93DC34E512182A67A6B0CD75C7C6E16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:03.153{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665F1A65D17C63254F5654E9D4A85AA9,SHA256=D633F37B38FAB9F65698F7FDBC9ADCD2768FA1398C87239B36342E064A9D8509,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:32.881{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50408-false10.0.1.12-8000- 23542300x800000000000000036496438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:04.186{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A4776F4391E831693EF04F9F0158A3,SHA256=F7CF2F49615A83BD4FBF0F931975AF8A91F81BB39FD5FDC146D4AAE51F924629,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:33.981{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50409-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:05.233{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDBB61A7EDD4A8986BE2E10031629C9,SHA256=6D7A4B10EA3E25502C6B86B3C80CA8BB731263272CE45E7B3A90E3DCCFD8D247,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:06.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF20CB1D7D0A82340CC5DAA744251FB6,SHA256=92FA13308D117BDDCA454878BF794B40328FC0CA411A923A5451CC6BD443EB91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:06.986{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDD06FF7FA19450EF371AD3F8F4AFDC0,SHA256=799A6F52A6252649382223EA152B4FA3F9C276595A11A13C41F8DD9E73119002,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:06.251{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F80C9AAAA08A5AA2ED49757DE0053B,SHA256=37B78212E53A772BF20B2FD3AD285FFC3A1117F23CE5AB9765B7A1BDD52BE6F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000036496440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-09-14 13:12:06.001{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a96a-0x1da9da23) 23542300x800000000000000036496445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:07.270{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505C6DC7AADB325421766D7BC28F6385,SHA256=456CCAE6511368412FFBC94481E83D049F8FD201AC026CB03F3AAC6ECAD332B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.664{B81B27B7-4012-611D-1000-00000000C801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14WIN-DC-128123ntp 10341000x800000000000000036496463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FA8-6140-5A56-04000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9FA8-6140-5A56-04000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.684{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FA8-6140-5A56-04000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.669{B81B27B7-9FA8-6140-5A56-04000000C801}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.300{B81B27B7-9FA8-6140-5956-04000000C801}44045356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.284{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD17338C14B20FF3ACB33B7572FE82EE,SHA256=08CD79E27BF3A7B8D7B462E22C13153A8552F65031F13A5BDD21F49DBB0C1830,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FA8-6140-5956-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FA8-6140-5956-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.100{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FA8-6140-5956-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:08.085{B81B27B7-9FA8-6140-5956-04000000C801}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.800{B81B27B7-5BF5-611D-6D04-00000000C801}5004ATTACKRANGE\REED_SCHMIDTC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\reed_schmidt\AppData\Roaming\Mozilla\Firefox\Profiles\ascrdua7.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.384{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4EC65F928BC5337EABE6BED070C3CF1B,SHA256=CD3EBD7ACFCA6A61C11F943A187D12AAE66BC3D627B6DDCC2B27F59D1B67E7CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.316{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA41D86D9CD0BC0A2A6C58F3C37C976B,SHA256=549DD1DA8438EE4F346D904AF9A61257C8CF52D0EF5DC922763DC6E402F7A980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:09.316{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF20CB1D7D0A82340CC5DAA744251FB6,SHA256=92FA13308D117BDDCA454878BF794B40328FC0CA411A923A5451CC6BD443EB91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.927{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50410-false10.0.1.12-8000- 23542300x800000000000000036496470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:10.349{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72B47FB7B37FC5C1122999F40847E9F,SHA256=7BF66ED2D7D80AA00014D38DDC9898DD61A3C0A25767CD776112EC396B22A9C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:40.027{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50411-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:11.373{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2299F9F60276CFAE11AFA6CA76FAC69,SHA256=1BCFFA9EB56C58ACEBB4E33D4B90050E7194C850634F4E5C0D62D736C4D6279B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:12.403{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EF6BE93B768A473DF671F838F2C2E9,SHA256=EC33B4527C11E2A79148D54189242BAC8E40EC891993FEA02FBBF1D9A96BE95D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:13.433{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90889BEA0ECFB0E4FFE4236604972DCD,SHA256=8B4E53A465742A850AC8F2A11858F0FBE3305B3ABD7D27FA128F2AD42F7FF16B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:14.451{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E713858F5E431367C808899FE419F9C8,SHA256=6014AD582FBD98418F3B54D251C3B755DEBE3F4F7C761F09B1A3B6E99C3BFB37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:15.485{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D4579282DDCDA3DDF580AE8F3AAB38E,SHA256=8336CEA5C7FA87C303ED2B0506FA23D452DA5FF4654E522FAAFDBFE1FF768590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:44.913{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50412-false10.0.1.12-8000- 23542300x800000000000000036496475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:15.469{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1396C0341D265B45A21B9FD238C9336C,SHA256=3B2AEF446FAD620D5973465E1C228651B9667262EE44341E39BD81E9F6463737,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:46.033{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50413-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:16.484{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE6A2E6C2A23DE12F6977514A8A51A3,SHA256=0E40C7D18B2C34A251E4EED36204256473049382E67735CD103CFACF0513FCEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:17.498{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55ECD28033F7839461C1050C0FA4D587,SHA256=7ACD8D10135709753C7AF68B16075629B0C3241A333A54CEEAEBC300CC80293A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:18.529{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFE5944501FD297BCE5458978CC5DEF,SHA256=ADE70FFC1266A2EAAE22B4D3F107786AAB4046416454AAAF12AC634D83255885,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:19.581{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921ABAFBB861AE64A223E122587FF490,SHA256=7E4E8B01D1784C79677479D7B000CCB887C0DF969CE19978A2EB92941943D48E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:19.381{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E1B92DEDBE7D261F69DC8DA741CA3639,SHA256=A3E3E9BBA638CA9840DD0F5CD53C3606B2581482875F20AFB0B2B297451CA26D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:50.047{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50414-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:20.611{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC8F98A36601E67B7BA74153CF5DE4C,SHA256=68AC84D11777CCB77B4EE539DE0B19671F659046E1D9F326B1FB62C5A1FDCA04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:21.678{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802AFB72D55DC739EC81B50501DB9456,SHA256=09194FC3B6EC17166C394C3334F2447870B624CE1DC4E4A3F1F5688B6727D184,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:50.907{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50415-false10.0.1.12-8000- 23542300x800000000000000036496488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:22.693{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED1D46501AAF8DCB8C59C9884841B01,SHA256=4AD040FF68D4A518497E678E5F63B9DCC690F2FE828DB44F1CC8B70118CCFB7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:23.723{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158134CC58CF7D39F1226A0A7A4C66BB,SHA256=39F38ED4957A0903C04307F4E0850A976CA7FD8CC3F93254603D19D58D3D380E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:23.208{B81B27B7-4012-611D-1100-00000000C801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4C2A55E4F1A44961F76B64E076441459,SHA256=E3258DB278662BFCF406EBD3C2BB88FC6C265B3736EDEBC5BA486098100F238F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FB8-6140-5C56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9FB8-6140-5C56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.747{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FB8-6140-5C56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.742{B81B27B7-9FB8-6140-5C56-04000000C801}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.746{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2F43E0D93F8562568AEEAD034EE12F,SHA256=666266D5B624F1935B9FB2300DD275647CCB874824ACEB0F1D5D760C44592EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.545{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74675A750CC296C185AA1913FAAD2682,SHA256=2370B2FF5E3989A2EEA267E9EB4504F9AB0B6EF28D3CF0597F0A92C7D91C5F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.307{B81B27B7-9FB8-6140-5B56-04000000C801}29086400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.145{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FB8-6140-5B56-04000000C801}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.143{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.143{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.143{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.143{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.142{B81B27B7-4012-611D-0500-00000000C801}420536C:\Windows\system32\csrss.exe{B81B27B7-9FB8-6140-5B56-04000000C801}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.142{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FB8-6140-5B56-04000000C801}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:24.124{B81B27B7-9FB8-6140-5B56-04000000C801}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036496513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:55.057{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50416-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:25.762{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6106160214EE8A36EA2F6EC304868290,SHA256=34B0D1001B48F279AA1BD2341C4C46FBC9E9BA1DD5C08B40AD464F753AACBB63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:25.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591766723EBC211F8C6655F95E970B1A,SHA256=347CF4B3523E2C364B0638F71D09D902CEA5FBF8B6EA9DBC5E5B20939DA7CDBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:25.125{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF836E7288743012DA2BA0413D92883C,SHA256=EA745DA8952B3F6DE445E250791E100ED8BBA3095AD20986FF14E17A32C7A2A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:55.918{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50417-false10.0.1.12-8000- 23542300x800000000000000036496514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:26.793{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E6BA284B7B5313BE1A34C59FF57BC,SHA256=D0CE1D49AA021859DB15F5532054E899A4BAE745C861695509DC0D95E91ACA49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:27.823{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A6B1AA48FE3A2F04EAB834CAC6575D,SHA256=BCBA7DB910B55FF3617F3690E784C1B9030A70CAC353BFCA9A7D4EC28E1CC519,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:59.072{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50418-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:28.841{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61152B2421B2C4FCE810879C53E9F826,SHA256=1512AB2DAA6CB5D72E86731415EE332C381D3D7051A327BB20F2C0E98C45CC84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:28.441{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86E15DA80BABDAC41283AC2A1F3BA96A,SHA256=5B72FA76A3FFC8C922FC59D4344CA6CA394B32EEEE8A9FEC076BBFB83DB31EE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:29.889{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F339181BDFDA1172C785E4FC515874AF,SHA256=DAC3DEA52C4F4139D9D1820B3A5E28A7F5F0AE3D00058D01DC004D2F1781C5EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:30.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3201EF6942CF1E7CB67A9CB3B795436,SHA256=91FFF1003CFA707887E7DC60AA674C6D9D4CE283E8BE41A29D0C26390B3DCA44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:31.904{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7022B6A7424B160EECE94856891120,SHA256=CE20A1839C23F3BDA4ECCA6BFCF1BE2944ECF161C712F8BDB8CDC4377650798D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:32.919{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649E68570347B45F58D2B89287F209F4,SHA256=74644E924C8B5CB63CC86C6D91A6436E6D354B7A5CFB37823B03622A11355412,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:01.915{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50419-false10.0.1.12-8000- 23542300x800000000000000036496523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:32.420{B81B27B7-4013-611D-2700-00000000C801}2076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:33.937{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67DC0DA78DE45D7A422D909B39569D5,SHA256=F09DB41B7ED93A057AEF4C23502AA62775CD6AC8590FBC5D702CAEF9DD685478,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:04.084{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50420-false10.0.1.12-8089- 23542300x800000000000000036496529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:34.956{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3511B86BF9F5C0E04CC9C044EA97CFCB,SHA256=A0921B35C126D5FF34B41F6EF8D7CCBAF028158CE6B5FF8FD8857D18925C67A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:34.439{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB8AE4E226AD65D76BFAADFEA1AFF25F,SHA256=C1088A1532A2C6F0DD6A90C5205412748609CBB0AF309C6351DE213100C274C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:35.971{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4A0847F2C582BF3ED4211BF47547FD,SHA256=5FD150925D2B2B3BB1624F3346FCBF83DDCF6C2D13E8DE11651108CFC0A83224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:05.084{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50421-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 10341000x800000000000000036496540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FC5-6140-5D56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FC5-6140-5D56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.884{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FC5-6140-5D56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.870{B81B27B7-9FC5-6140-5D56-04000000C801}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:37.001{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F6228348177D0088597956D6AFA1B4,SHA256=6AD4065DC6A32A5FFE0B75C1384A4E2E53D1A9F3C99716A8DC763C160FFAD4C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1043BBAF824389D1F3219878E9B19B10,SHA256=3A477122D73B91CB4E5726AA06333961D22976F068C391629E630D096DC3E666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.885{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591766723EBC211F8C6655F95E970B1A,SHA256=347CF4B3523E2C364B0638F71D09D902CEA5FBF8B6EA9DBC5E5B20939DA7CDBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.738{B81B27B7-9FC6-6140-5E56-04000000C801}67407116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FC6-6140-5E56-04000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.570{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9FC6-6140-5E56-04000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.554{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FC6-6140-5E56-04000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.555{B81B27B7-9FC6-6140-5E56-04000000C801}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036496543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.037{B81B27B7-9FC5-6140-5D56-04000000C801}56162756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:38.015{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE7F5C68ECBA291C87372A680362A1F,SHA256=E6EBBBA3453F8ED3A8435A34375038F6DAF847540354BA59B6E304C1EF35F2B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.916{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50422-false10.0.1.12-8000- 23542300x800000000000000036496567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.621{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1ED810ACBF5A6460822CB3BB6B268783,SHA256=1930848F6DDE4A0FEDC77F392E84B8758C6F7E7837363914D0507DDA5E4094D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.574{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.574{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.574{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1500-00000000C801}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FC7-6140-5F56-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FC7-6140-5F56-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.169{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FC7-6140-5F56-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.155{B81B27B7-9FC7-6140-5F56-04000000C801}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036496555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:39.016{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D407A5620F3651854CB674AA853D7AC,SHA256=053EF219C151CE845FF408C853CD49DFB279D68394365899902EE7C6640134B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:40.158{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1043BBAF824389D1F3219878E9B19B10,SHA256=3A477122D73B91CB4E5726AA06333961D22976F068C391629E630D096DC3E666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:10.213{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50423-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:40.042{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FE454C86D6497FFF388B9E8AA26D12,SHA256=2232A7485CB7AADDA82D24E29E1300D5A0E2554264178A2D43144356BCFEADCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:41.057{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC32C9751E3A7C7CAA26D7CD0F7C542,SHA256=A77EDA217BC243B3177199F895D88D8C0CA7F88916C0C6DDD056A766EE3E1F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:42.071{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F2E5F5AF9ED7D03216C38A70A93EDE,SHA256=756C8E3473B733871F9F94FBCDBC91CA5BEA9167DD6292F0CF26AB124A06B6AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:43.086{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E26585D79EF93F86655268134A8931E,SHA256=A5107B24143467D8BEC36B9DF69D483F41843988ABCEF79338FBD917E07F9844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:13.914{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50424-false10.0.1.12-8000- 23542300x800000000000000036496574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:44.100{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BEB4051022FBB93476163F0B3606A7,SHA256=127BD2980702DBC05923B2AFDF70E9DE9B8CC6170C2B2B0BDB7FD706F9B95673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:45.668{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=94636C45487C498C075C94DFB018C070,SHA256=3D2159404EA431CE9F9F53C9997A7AB217BFFED8933C234002252447B5642ABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:45.115{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7E340F89626D95A07763315B500A2C,SHA256=16DC3AD43138C11807FDEDBD545DE20A54E7FF400BF1C528EEE67AE9AE564721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:16.233{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50425-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:46.136{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA1CDFD385A3406236588B06D4773C0,SHA256=C0F3D70F3701EDA64C54F510B6251145654303D2EBC6B54894672C535F1CB53F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:47.183{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B29E87950E0C100FB26F9585E76F02,SHA256=871D20A7E11C774D737F03E29C4D9CD55229E7759980FD2EFC68C94ABCAE6F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:48.230{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340ACCEA199DC7FFDA1E39D443E2EE39,SHA256=F810817B59417ADA3D54C0F15CB81AC207BC4AEE704D6B8F1E4F940EF1B15FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:49.680{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B916EA44940AE79DE7804599286A241,SHA256=C383F49C4216F2D419EB47D5C6CFA4CBD32BA19953237179AF0989BCAA684939,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:49.265{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A247F034793480CFDE21F9C07F3F3D0,SHA256=661768C2A2D65C87837A4055D865B38E7CF2DBDA4DF16273218E5D993442A59A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:20.246{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50427-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 354300x800000000000000036496585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:19.912{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50426-false10.0.1.12-8000- 23542300x800000000000000036496584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:50.279{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6807C7375137D2802E6CB0AB8054C35D,SHA256=F58B2D07C3D63EA5680412436C646C8D4EE00211007B1541DECF0067171CF46B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:51.294{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E332B377961DA9A9EB4514EEBD8A78A,SHA256=DC924B829CDBA2A41DF8A2C46481BB8ADE85171138FEDFF09FED8C843E43EFF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:52.310{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B167A5E00457643566064AD71A2014E,SHA256=43C0841D34701B02BAFDA896FA0C3667CF59B39D575ACA8BBC744B2B67118031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:53.326{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58590EB0F7F6147BA166677433C338E,SHA256=29AB64470ECFAB9BDB87525E2AD0A041F48469ED511288CB3FA88C2D3396CBD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:54.808{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B752F87B38094719268A3D185266CE6D,SHA256=2101961A5E0B421A365937EB5982A8DA1D736FD28D650A834A60F0CA7C988F61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:54.329{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93ADAA26C32A5BDBE3B81452FD51E84,SHA256=0A33FDE9D6F4E0B17EA4194007299EA8A6AE04DA812D1A6FF539D9DFFBFAE2BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:25.726{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50429-false10.0.1.12-8000- 354300x800000000000000036496593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:25.259{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50428-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:55.345{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6236DFB8A3CD6771BD1D1D0EB5724888,SHA256=CAF699FDF4BF7FD710BE441E926F6F098EF56E4C60765956A335A3C04B388D94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:56.425{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5D561E32D90289D27235B93F1F88B1,SHA256=EE72FFC48A8B228A4D36194E5DE2DACEE2050CB7E6E8CFC48ACDEB775BCFE79C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:57.673{B81B27B7-4012-611D-0D00-00000000C801}7922340C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-1600-00000000C801}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:57.442{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D177A81DDE160FFF6DC89FD09890E85,SHA256=B5DEA719985F8028B5CD2C84F31305EBE849E860D0443072BD93CEBF5AED2FD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:58.672{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=21C1A3506BE07EBA0382EA4B3EBE70D2,SHA256=0120135AEAA06E34E8A244FC63C96664BFE082C6FDD09BF3F85D81CB670BA837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:58.457{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA9FFB17260F82FDC1167CAA9480722,SHA256=DE578AC14E13B8134F44F445085F30260C70B3DEE5523E23A5339A621DAB667A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:12:59.521{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5332B1C436BE9B9B032B52A9FCC522CF,SHA256=AA0FF629C728D319DDDA1848167EE6546E0F61FBD5FE245F57F0237C305A49E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:29.270{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50430-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:00.555{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCDF4DABFBD2ADDF7A3B5DBFB719D81,SHA256=6F844A1446635D762528514B7F24E1E7A5B18B93206240345F811C9703D6DEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:01.569{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0ED2AE12637B85352067CEDAFB8E2E,SHA256=B2C27D4E5D977F7CB02771D53DD7858160754F22F5215A653EE9E7FBD0C06030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:02.600{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4942973990328214941DF7F688ACDF7,SHA256=CE6191D0DDF83B9CF4F4822F9372CEE489099C2596EF89DB06037C6EFFE40405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:31.750{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50431-false10.0.1.12-8000- 23542300x800000000000000036496607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:03.619{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=28A4BAD684CA0594540319E5853149D0,SHA256=7D365CD092EEB48744BAB7957F4C8381E4BAA615C49173730FD07AED140E108F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:03.618{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE46659CC938B52B7AF6DE5592DA841,SHA256=F26F81FDA33CE213B151E0F53C43D912CC1E23343C4D8C632F6BE4004427A497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000036496609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:34.281{B81B27B7-4822-613A-788F-03000000C801}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local50432-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal443https 23542300x800000000000000036496608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:04.651{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5A3A9166245359838754394BECCBA9,SHA256=4AB95B4CE6383325B0686DB88325B35E2F897C3BF4135DAED243859AEC6878EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:05.665{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6508AFA730C66A503B5D96F262216B9E,SHA256=804174DEE0290F24AB787C3F38E3FE06CA1A255EA3A6BCB575548D9F0C8F8BF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:06.714{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF99BC1F5BE10BAD4883CCAD642A9CC5,SHA256=E9B0BB1593D1E2474633DC5C7CC0EE45E6963C5CBFFC8F7287A8DBF904339DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FE3-6140-6056-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4012-611D-0500-00000000C801}420436C:\Windows\system32\csrss.exe{B81B27B7-9FE3-6140-6056-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.946{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FE3-6140-6056-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036496614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.932{B81B27B7-9FE3-6140-6056-04000000C801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4012-611D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4013-611D-2700-00000000C801}2076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036496613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:37.760{B81B27B7-401D-611D-6900-00000000C801}3616C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50433-false10.0.1.12-8000- 23542300x800000000000000036496612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:07.731{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8569F3D9F7F8D2F6BBE8C0F669C481,SHA256=09A08BD4BB244C96AE384C906E95C65E57D0E079F961B45A53C7237697A4718B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79787A6E962541CB81C2170AA779F7C7,SHA256=AF7434E4D24E71D90E10B422D2610CC0F6AA00FEE637DC49597C24792A16F11A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.945{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2031E7289D1A8A0FB276601AFE733AB7,SHA256=B1F226AB84D972DF72DCFCADB880DFFD9E29FB28D5AFB126F270D487A413468C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000036496632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.745{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6610224E76BFB72009FADE2994220F1B,SHA256=D38CD4894462C99EBED0E4F46F6FD53A5B3121890E1E13BBD71BD58B89F6A834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4014-611D-3000-00000000C801}31443164C:\Windows\system32\conhost.exe{B81B27B7-9FE4-6140-6156-04000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036496630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4024-611D-7300-00000000C801}2188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C224A8DB84351308B419A238038F6E13,SHA256=418BCD558AF28F42394A30328D7FA26AAB284860A9B1334FD30A07E0BA5A06A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000036496629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0C00-00000000C801}7324464C:\Windows\system32\svchost.exe{B81B27B7-4013-611D-2500-00000000C801}1820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4012-611D-0500-00000000C801}420984C:\Windows\system32\csrss.exe{B81B27B7-9FE4-6140-6156-04000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036496624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-09-14 13:13:08.645{B81B27B7-4013-611D-2700-00000000C801}20763760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FE4-6140-6156-04000000C801}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781